Ask Your Question
0

How do I extract the hex section from a pcap file?

asked 2019-11-12 22:51:46 +0000

a__lmonkey gravatar image

updated 2019-11-12 23:03:08 +0000

for homework, i was given a captured pcap file from a USB and was told to identify a 'flag' which it contains.

I've researched the right code (Tshark) to use for this, however, I don't know what field to refer to in order to extract the flag from it - I feel like it would be the hexadecimal values that need to be extracted for the contents of the USB but I don't know how to refer to it when using tshark.

tshark -r targetFile.pcapng -T fields -e _ws.col.Info > outFile.csv

here is the code I have, the -e is referring to the 'info' column of Wireshark but I want to extract the hex values at the bottom, what is the correct syntax for this?

please thank you

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2019-11-13 08:33:31 +0000

grahamb gravatar image

updated 2019-11-13 16:13:18 +0000

cmaynard gravatar image

Extra fields are specified in the command by adding a -e argument with the field name, use multiple -e field.name arguments for multiple fields. You can find the field name in the GUI by selecting the field of interest in the packet details pane and looking at the info in the status bar at the bottom left. The field name is in parentheses.

edit flag offensive delete link more
add a comment
0

answered 2019-11-13 16:25:21 +0000

Chuckc gravatar image

" I want to extract the hex values at the bottom"

https://www.wireshark.org/docs/man-pa...

-x
Cause TShark to print a hex and ASCII dump of the packet data after printing the summary and/or details, if either are also being displayed.
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-11-12 22:51:46 +0000

Seen: 2,943 times

Last updated: Nov 13 '19

Related questions

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Can I create a capture filter on a pcap file

Resolve frame subtype and export to csv

Capture from only one Port in wireshark and tshark

Delay in GOOSE Subscription

What is the syntax for wireshark custom column

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2