Ask Your Question
0

Dump each packet data received on a different file where the file name is the tcp.time_relative

asked 2020-10-19 13:31:07 +0000

Faliero Rogo gravatar image

updated 2020-10-19 13:35:26 +0000

what i'm trying to achieve is to sniff the traffic over the loopback and writing every packet payload on its own file where the file name is the tcp.time_relative

with:

sudo tshark -i lo -T fields -e tcp.time_relative -e tcp.payload

image description

I can get the two fields i need, what is crucial now is a way to write each tcp.payload to a file where tcp.time_relative is the file name. If someone knows some usefull tshark commands or a way to script this would be really nice.

thank you in advance for you answers

edit retag flag offensive close merge delete

Comments

Do you want the empty files where there is no tcp.payload data?

Chuckc gravatar imageChuckc ( 2020-10-19 14:49:44 +0000 )edit

no i don't i already modified the command like this:

    tshark -l -i lo -T fields -e tcp.time_relative -e tcp.payload -Y 'tcp.len>0 and !tcp.payload contains 05:00:00:00'

to filter a packet i don't wanna read and ignore empty data

Faliero Rogo gravatar imageFaliero Rogo ( 2020-10-19 14:58:31 +0000 )edit

"a way to script this" - are you working on some flavor of *nix so a bash script would be ok?

Chuckc gravatar imageChuckc ( 2020-10-19 15:08:56 +0000 )edit

ye a bash script would do the trick

Faliero Rogo gravatar imageFaliero Rogo ( 2020-10-19 15:34:21 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-10-19 16:34:33 +0000

Chuckc gravatar image

(Test file on Wireshark wiki )


$ cat ./mktcpfile
#!/bin/bash

TIMESTAMP=""
PAYLOAD=""

read TIMESTAMP PAYLOAD
while [ "$TIMESTAMP" ]
do
    echo $TIMESTAMP
    echo $PAYLOAD > $TIMESTAMP.txt
    read TIMESTAMP PAYLOAD
done



$ tshark -r ../200722_tcp_anon.pcapng -T fields -e tcp.time_relative -e tcp.payload -Y tcp.payload | ./mktcpfile
0.004678000
0.005701000
0.005734000
0.005745000
0.005752000
0.005762000
0.005770000
0.005776000
8.657441000
10.162740000
12.385270000
$
$ ls
0.004678000.txt  0.005734000.txt  0.005752000.txt  0.005770000.txt  10.162740000.txt  8.657441000.txt
0.005701000.txt  0.005745000.txt  0.005762000.txt  0.005776000.txt  12.385270000.txt  mktcpfile
$ cat ./0.004678000.txt
68656c6c6f0a
$

Sharkfest video on using tshark:
SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)

edit flag offensive delete link more

Comments

That's great, totally what i was looking for. thank you

Faliero Rogo gravatar imageFaliero Rogo ( 2020-10-20 08:17:49 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-10-19 13:31:07 +0000

Seen: 230 times

Last updated: Oct 19 '20

Related questions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

Help to set up a "pass through bridge" sniffer

nfs.pathname.component in UTF-8

build wireshark on linux can't find Qt includes

windows missing horizontal scrollbar

Sniffing (forwarded) wifi packets using promiscuous mode

Microsoft Network Monitor cap file can be opened by Wireshark but save as function is disabled

Save packet data as hex string

Is there a limit on the size of a xml file (containing 3gpp trace) that can be loaded on wireshark?

How to capture filename (path) for NFSv4 traffic using tshark