Ask Your Question
0

How can I read a hex dump of packet data from TShark, filter it with a Python program, and write it out as a capture file?

asked 2019-12-30 15:02:09 +0000

vladinko0 gravatar image

updated 2019-12-31 04:05:19 +0000

Guy Harris gravatar image

Because display filters are not supported when saving captured data with tshark I am trying to create valid cap file that I can read in Wireshark.

I capture data with tshark -x

In python I am scraping raw data with:

substring = oneline[5:53]    
clean = ''.join([c for c in substring if 34 < ord(c) < 127])    
raw_packet += clean

I am converting these data back to raw hex data:

newFile = open("filename.cap", "wb")
newFile.write(bytes.fromhex(raw_packet))

I also tried:

newFile.write(bytearray(binascii.unhexlify(raw_packet)))

or

newFile.write(binascii.unhexlify(raw_packet))

But when I am open the filename.cap in Wireshark I don't see normal packet data:

Frame 1: 260 bytes on wire (2080 bits), 260 bytes captured (2080 bits)
    Encapsulation type: JavaScript Object Notation (175)
    Frame Number: 1
    Frame Length: 260 bytes (2080 bits)
    Capture Length: 260 bytes (2080 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: json:data-text-lines] JavaScript
Object Notation Line-based text data (1 lines)
     [truncated]\000\000 \000\[email protected]\000\240 \b\000\240
\b\000\000\020\002l\t\240\000\336\000d\000\000\000\000\000\000\001\200\000\000\000\377\377\377\377\377\377\264\373\344J\352\346\264\373\344J\352\346p!\200\201+A'\000\000\000d\0001\004\000\

Are raw data provided by tshark full?

How can I convert them back to Wireshark readable file?

Or what am I doing wrong?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-12-31 04:03:50 +0000

Guy Harris gravatar image

updated 2019-12-31 04:06:19 +0000

Or what am I doing wrong?

Assuming that a raw blob of data is a valid capture file.

There are a number of capture file formats that Wireshark can read.

Its native formats are pcap and pcapng; you should probably consider using a library such as Pcapy to write a file in pcap format.

Or you could write the TShark output as a pcap or pcapng file (with -w rather than -x), read it with Pcapy, process it in your Python program, and write it using Pcapy.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-12-30 15:02:09 +0000

Seen: 194 times

Last updated: Dec 31 '19