Ask Your Question
0

Extract specific byte offset using tshark

asked 2020-02-21 10:08:29 +0000

juiceb0xk gravatar image

I have a pcap of ICMP packets. I am trying to use tshark to extract the payload data so that I can extract a specific byte offset.

The tshark documentation is highly convoluted, especially for me, a beginner.

I've been searching around a lot and I'm trying to piece together a command for the purpose of my goal.

I can run the following command:

shark -r test.pcapng -Y icmp -z flow,icmp,network > output.bin

But it only outputs the packet list as it were shown in Wireshark.

For example, I am trying to extract the following byte offset from each packet (offset 22):

enter image description here

How would I go about extracting a specific byte offset with tshark?

EDIT:

Issuing the following command only returns a portion of the payload data, how can I get all of it?

tshark -r test.pcapng -Y "frame.number == 13" -T fields -e data -w output.bin

enter image description here

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2020-02-21 13:58:46 +0000

cmaynard gravatar image

updated 2020-02-22 02:39:43 +0000

The posted image would appear to be highlighting the TTL field of the IP header, so assuming that's the field you're interested in, you can obtain it using the following:

tshark -r test.pcapng -Y "frame.number == 13" -T fields -e ip.ttl -w output.bin

You can refer to the Wireshark Display Filter Reference page to find all available Wireshark display filters including the ip.ttl field. You can also find them in other ways. Refer to the wireshark-filter man page for more information.

EDIT: If you want all the bytes of frame number 13 to be displayed, you can call tshark like so:

tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin

So if for whatever reason you don't like the -e ip.ttl solution, you could isolate the 22nd byte from the hex output generated with -x with a little piping to tools like grep and cut, for example:

tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin | grep "^0010" | cut -d ' ' -f 9

There may be a more elegant solution than this, but this should be a good starting point in the absence of any another suitable solution, provided of course that your platform has both grep and cut available.

edit flag offensive delete link more
0

answered 2020-02-21 13:49:45 +0000

Chuckc gravatar image

If the IP header doesn't vary in length, try to chop out the byte with editcap:
https://ask.wireshark.org/question/14...

edit flag offensive delete link more
0

answered 2020-02-21 10:14:22 +0000

grahamb gravatar image

I'm not aware of any tshark capabilities to restrict the output to specific bytes, only whole fields, using the -e field selector. The data field is available as a fallback when no other dissector is able to further dissect the payload, this may be due to there being no dissector for the traffic, the dissector being disabled, the traffic not being on the "expected" port, or other reasons.

I think you will have to post process the tshark output using external tools to extract the particular data you require.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-21 10:08:29 +0000

Seen: 1,097 times

Last updated: Feb 22