Ask Your Question
0

How do I extract the right information of a pcap file with pcap2matlab?

asked 2020-07-23 13:33:24 +0000

Bram gravatar image

updated 2020-08-11 12:42:28 +0000

Hey, I want to use data that is in a pcap file in matlab, and for this I found the pcap2matlab function (https://www.mathworks.com/matlabcentr...). However I don't have a good enough understanding of wireshark to make this work so I was hopping somebody might be able to help me out.

My pcap file is of data gathered by a sonar in multiple frames, and it looks like this (https://imgur.com/EqfoodN). From this I need the data that is in Range Data (https://imgur.com/sQnbiMH) and Angles (https://imgur.com/p0ZYZ0d).

Can anybody help me with what kind of commands I need to use to extract the desired data? Thanks!

Edit: As grahamb mentioned the pcap2matlab function uses the same commands as tshark, so if anybody has any experience with that and would like to help me here is the data: https://gofile.io/d/3UnV8S.

Once again thanks for the help!

Edit2: Sorry forgot to add the dissector, here it is: https://gofile.io/d/bCXBDG

Edit3: This was the reply email that I got when asking for the source code:

He would need to learn how to parse PCAP files in Matlab.

Bar that, he could use our WirePlay program to send the PCAP file as Ethernet UDP data. Matlab can ingest UDP and TCP/IP Ethernet data. WirePlay can be downloaded at: http://vvv.r2sonic.com/oldSite/tools/...

If he is trying to deal with Water Column data, Matlab will struggle due to the data rate. Writing a Matlab C executable would be helpful. Or, do the project in Python which has most of the functionality of Matlab.

If dealing with Water Column data, it would be better to use Water Column data files that the sonar GUI can save. This saves the hassle of trying to deal with Ethernet data or PCAP files. Matlab, et al, can chug away at a WC data file at its own pace.

Edit4:

Solution found here: https://ask.wireshark.org/question/18...

Anybody know how I could be able to do this? I have no idea if this is the right place to ask this as I am really unfamiliar with this type of data

edit retag flag offensive close merge delete

Comments

Looks like there is a "Wireshark decoder" mentioned here.
Have you tried asking R2SONIC about the decoder?

Chuckc gravatar imageChuckc ( 2020-07-23 16:03:28 +0000 )edit

As @Chuckc implied, the data in the capture doesn't appear to be supported by the built-in dissectors so if the data is from a custom protocol, and as you have shown images of it there does seem to be some form of dissection, we would need to get a copy of that dissector to help out.

There should be no issue sharing the dissector as due to the licence that Wireshark uses (GPL 2.0 or later) the source of any dissectors distributed outside of the originators company MUST be made available.

grahamb gravatar imagegrahamb ( 2020-07-23 16:15:13 +0000 )edit

You guys are right, I added the dissector link: https://gofile.io/d/bCXBDG The dissector only works with an old version unfortunately, so I used wireshark 1.12

Bram gravatar imageBram ( 2020-07-23 16:57:46 +0000 )edit

1.12? Uggh, it was EOL 4 years ago.

Does tshark of that vintage print out anything useful when given the -G fields option, e.g.

path\to\tshark.exe -G fields > fields.txt

Make sure you redirect to a file as the output is large. You're looking for anything with "R2Sonic" in it.

grahamb gravatar imagegrahamb ( 2020-07-23 17:05:38 +0000 )edit

Since you're distributing a binary of a GPL'ed program, can we have the source code please?

Jaap gravatar imageJaap ( 2020-07-23 17:41:06 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-07-23 13:53:13 +0000

grahamb gravatar image

Ideally that would be a question for the relevant support channels for pcap2matlab but as it seems to be abandoned by the author you may be out of luck.

The 2nd parameter of the function, decodeas_and_dissector seems to allow field selection (option 2 in the help) which is what you need. You can find field names in Wireshark by opening the capture and selecting the field in the packet details pane and looking at the status bar at the bottom to see the field name in parenthesis. Construct your argument from those field names.

edit flag offensive delete link more

Comments

Thanks for your reply, when i look for the field name for a certain range value it only displays (text), and i cannot use this as a valid input in the function.

When you look at the documentation, do you maybe know how i can select all the data? I can than filter the data myself in matlab, so just getting it all in matlab would also work.

Thanks!

Bram gravatar imageBram ( 2020-07-23 14:01:49 +0000 )edit

There is a reference list for all Wireshark display filter fields here organised by protocol, I'm not sure which protocol you're interested in so can't direct you to the exact spot.

grahamb gravatar imagegrahamb ( 2020-07-23 14:40:26 +0000 )edit

As this site is about Wireshark (and the rest of the applications in the suite) fixing up issues with a matlab plugin are out of scope.

However, tshark (the command line version of Wireshark) can output data in a number of formats, with field selection to limit the output, that may allow you to achieve what you want. The tshark manual is here.

Putting your capture on a public share and posting a link to it back here might allow someone to answer with suitable commands to get you some output.

grahamb gravatar imagegrahamb ( 2020-07-23 14:47:50 +0000 )edit

And I'm guessing, from all the references to tshark in the page about pcap2matlab, that it runs TShark, generating one of those formats, and reads its output.

If so, then, to use it, you'd need 1) a version of TShark with that plugin (which may involve getting the source and either modifying it yourself and building it or contributing the source to the Wireshark project to incorporate the dissector into Wireshark) and 2) the names of the fields in question (which you could get from the source).

Guy Harris gravatar imageGuy Harris ( 2020-07-24 02:18:33 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-07-23 13:33:24 +0000

Seen: 1,519 times

Last updated: Aug 11 '20