Extract specific byte offset using tshark

edit

The posted image would appear to be highlighting the TTL field of the IP header, so assuming that's the field you're interested in, you can obtain it using the following:

tshark -r test.pcapng -Y "frame.number == 13" -T fields -e ip.ttl -w output.bin

You can refer to the Wireshark Display Filter Reference page to find all available Wireshark display filters including the ip.ttl field. You can also find them in other ways. Refer to the wireshark-filter man page for more information.

EDIT: If you want all the bytes of frame number 13 to be displayed, you can call tshark like so:

tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin

So if for whatever reason you don't like the -e ip.ttl solution, you could isolate the 22nd byte from the hex output generated with -x with a little piping to tools like grep and cut, for example:

tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin | grep "^0010" | cut -d ' ' -f 9

There may be a more elegant solution than this, but this should be a good starting point in the absence of any another suitable solution, provided of course that your platform has both grep and cut available.

If the IP header doesn't vary in length, try to chop out the byte with editcap:
https://ask.wireshark.org/question/14...

I'm not aware of any tshark capabilities to restrict the output to specific bytes, only whole fields, using the -e field selector. The data field is available as a fallback when no other dissector is able to further dissect the payload, this may be due to there being no dissector for the traffic, the dissector being disabled, the traffic not being on the "expected" port, or other reasons.

I think you will have to post process the tshark output using external tools to extract the particular data you require.