How can I read a hex dump of packet data from TShark, filter it with a Python program, and write it out as a capture file?
Because display filters are not supported when saving captured data with tshark I am trying to create valid cap file that I can read in Wireshark.
I capture data with tshark -x
In python I am scraping raw data with:
substring = oneline[5:53]
clean = ''.join([c for c in substring if 34 < ord(c) < 127])
raw_packet += clean
I am converting these data back to raw hex data:
newFile = open("filename.cap", "wb")
newFile.write(bytes.fromhex(raw_packet))
I also tried:
newFile.write(bytearray(binascii.unhexlify(raw_packet)))
or
newFile.write(binascii.unhexlify(raw_packet))
But when I am open the filename.cap in Wireshark I don't see normal packet data:
Frame 1: 260 bytes on wire (2080 bits), 260 bytes captured (2080 bits)
Encapsulation type: JavaScript Object Notation (175)
Frame Number: 1
Frame Length: 260 bytes (2080 bits)
Capture Length: 260 bytes (2080 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: json:data-text-lines] JavaScript
Object Notation Line-based text data (1 lines)
[truncated]\000\000 \000\256@\000\240 \b\000\240
\b\000\000\020\002l\t\240\000\336\000d\000\000\000\000\000\000\001\200\000\000\000\377\377\377\377\377\377\264\373\344J\352\346\264\373\344J\352\346p!\200\201+A'\000\000\000d\0001\004\000\
Are raw data provided by tshark full?
How can I convert them back to Wireshark readable file?
Or what am I doing wrong?