Ask Your Question
0

Dump each packet data received on a different file where the file name is the tcp.time_relative

asked 2020-10-19 13:31:07 +0000

Faliero Rogo gravatar image

updated 2020-10-19 13:35:26 +0000

what i'm trying to achieve is to sniff the traffic over the loopback and writing every packet payload on its own file where the file name is the tcp.time_relative

with:

sudo tshark -i lo -T fields -e tcp.time_relative -e tcp.payload

image description

I can get the two fields i need, what is crucial now is a way to write each tcp.payload to a file where tcp.time_relative is the file name. If someone knows some usefull tshark commands or a way to script this would be really nice.

thank you in advance for you answers

edit retag flag offensive close merge delete

Comments

Do you want the empty files where there is no tcp.payload data?

Chuckc gravatar imageChuckc ( 2020-10-19 14:49:44 +0000 )edit

no i don't i already modified the command like this:

    tshark -l -i lo -T fields -e tcp.time_relative -e tcp.payload -Y 'tcp.len>0 and !tcp.payload contains 05:00:00:00'

to filter a packet i don't wanna read and ignore empty data

Faliero Rogo gravatar imageFaliero Rogo ( 2020-10-19 14:58:31 +0000 )edit

"a way to script this" - are you working on some flavor of *nix so a bash script would be ok?

Chuckc gravatar imageChuckc ( 2020-10-19 15:08:56 +0000 )edit

ye a bash script would do the trick

Faliero Rogo gravatar imageFaliero Rogo ( 2020-10-19 15:34:21 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-10-19 16:34:33 +0000

Chuckc gravatar image

(Test file on Wireshark wiki )


$ cat ./mktcpfile
#!/bin/bash

TIMESTAMP=""
PAYLOAD=""

read TIMESTAMP PAYLOAD
while [ "$TIMESTAMP" ]
do
    echo $TIMESTAMP
    echo $PAYLOAD > $TIMESTAMP.txt
    read TIMESTAMP PAYLOAD
done


$ tshark -r ../200722_tcp_anon.pcapng -T fields -e tcp.time_relative -e tcp.payload -Y tcp.payload | ./mktcpfile
0.004678000
0.005701000
0.005734000
0.005745000
0.005752000
0.005762000
0.005770000
0.005776000
8.657441000
10.162740000
12.385270000
$
$ ls
0.004678000.txt  0.005734000.txt  0.005752000.txt  0.005770000.txt  10.162740000.txt  8.657441000.txt
0.005701000.txt  0.005745000.txt  0.005762000.txt  0.005776000.txt  12.385270000.txt  mktcpfile
$ cat ./0.004678000.txt
68656c6c6f0a
$

Sharkfest video on using tshark:
SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)

edit flag offensive delete link more

Comments

That's great, totally what i was looking for. thank you

Faliero Rogo gravatar imageFaliero Rogo ( 2020-10-20 08:17:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-10-19 13:31:07 +0000

Seen: 230 times

Last updated: Oct 19 '20