How can I read a hex dump of packet data from TShark, filter it with a Python program, and write it out as a capture file?

asked 2019-12-30 15:02:09 +0000

vladinko0 gravatar image

updated 2019-12-31 04:05:19 +0000

Guy Harris gravatar image

Because display filters are not supported when saving captured data with tshark I am trying to create valid cap file that I can read in Wireshark.

I capture data with tshark -x

In python I am scraping raw data with:

substring = oneline[5:53]    
clean = ''.join([c for c in substring if 34 < ord(c) < 127])    
raw_packet += clean

I am converting these data back to raw hex data:

newFile = open("filename.cap", "wb")

I also tried:




But when I am open the filename.cap in Wireshark I don't see normal packet data:

Frame 1: 260 bytes on wire (2080 bits), 260 bytes captured (2080 bits)
    Encapsulation type: JavaScript Object Notation (175)
    Frame Number: 1
    Frame Length: 260 bytes (2080 bits)
    Capture Length: 260 bytes (2080 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: json:data-text-lines] JavaScript
Object Notation Line-based text data (1 lines)
     [truncated]\000\000 \000\256@\000\240 \b\000\240

Are raw data provided by tshark full?

How can I convert them back to Wireshark readable file?

Or what am I doing wrong?

answered 2019-12-31 04:03:50 +0000

Guy Harris gravatar image

updated 2019-12-31 04:06:19 +0000

Or what am I doing wrong?

Assuming that a raw blob of data is a valid capture file.

There are a number of capture file formats that Wireshark can read.

Its native formats are pcap and pcapng; you should probably consider using a library such as Pcapy to write a file in pcap format.

Or you could write the TShark output as a pcap or pcapng file (with -w rather than -x), read it with Pcapy, process it in your Python program, and write it using Pcapy.

