First time here? Check out the FAQ!

Ask Your Question
0

tshark: Extract hex data for whole frame along with epoch time with microseconds/nanoseconds precision
 
  
 
  
 
 
 
 
 
 
    
        
        asked Apr 29 '1  
 
 left4dead gravatar image  
 
 
 
 
    
        
        updated Apr 29 '1  
 
 
 
 
 
Is there a way to extract the whole frame hex dump using tshark with epoch time?
 
I am able to run following command which provides me both of the fields (i.e. frame_raw and frame.time_epoch) I need:
 
tshark -r <pcapng_path> -x -T json -j "frame"
 
However, I would like to use something like below:
 
tshark -r <pcapng_path> -x -T ek -e frame.time_epoch -e raw
 
OR
 
tshark -r <pcapng_path> -x -T ek -e frame.time_epoch -e frame_raw
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 1 Answer
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Apr 29 '1  
 
 Chuckc gravatar image  
 
 
 
 
 
It would be nice if there was a frame.data field but that doesn't exist at this time.
 frame_raw is not a field. It is a special case JSON format (print.c):
 
        // "-x" command line option. A "_raw" suffix is added to the json key so the textual value can be printed
        // with the original json key. If both hex and text writing are enabled the raw information of fields whose
        // length is equal to 0 is not written to the output. If the field is a special text pseudo field no raw
        // information is written either.

 
You asked for tshark. Here's something close with rawshark. The output will need to be cleaned up (grep/sed/awk/perl/python/...) so maybe a tossup whether this is better than the tshark output. From the rawshark man page: "Also note that the output may be in any order"
 
C:\>rawshark -s  -r - -d proto:frame -F frame.time_epoch -F frame < dhcp.pcap
0 FT_RELATIVE_TIME BASE_NONE - 1 FT_PROTOCOL BASE_NONE -
1 1="ff:ff:ff:ff:ff:ff:00:0b:82:01:fc:42:08:00:45:00:01:2c:a8:36:00:00:fa:11:17:8b:00:00:00:00:ff:ff:ff:ff:00:44:00:43:01:18:59:1f:01:01:06:00:00:00:3d:1d:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0b:82:01:fc:42:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:63:82:53:63:35:01:01:3d:07:01:00:0b:82:01:fc:42:32:04:00:00:00:00:37:04:01:03:06:2a:ff:00:00:00:00:00:00:00" 0="1102274184.317453000" -
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
Appreciate the quick response, Chuck.
One additional point for my query is that I need to work with pcapng files. Updating my question accordingly.
I tried the command for both pcap and pcapng files and I see the following issue for both (of course, packet length value in error message varies):
0 FT_RELATIVE_TIME BASE_NONE - 1 FT_PROTOCOL BASE_NONE - 
rawshark: The standard input appears to be damaged or corrupt.
(Bad packet length: 544108393)
left4dead gravatar imageleft4dead (
    
        Apr 29 '1
    )
@left4dead, can you show your rawshark command line?
grahamb gravatar imagegrahamb (
    
        Apr 29 '1
    )
@grahamb
The following is for a pcap file.
rawshark -s  -r - -d proto:frame -F frame.time_epoch -F frame < /Users/ab/Traces/VO41RegTD416SecureInstCertBrowsingIncogGmail/traffic.cap
Output:
0 FT_RELATIVE_TIME BASE_NONE - 1 FT_PROTOCOL BASE_NONE - 
rawshark: The standard input appears to be damaged or corrupt.
(Bad packet length: 1509949440)
left4dead gravatar imageleft4dead (
    
        Apr 29 '1
    )
What is the purpose of rawshark?

I'm not sure if there is enough interest in rawshark to add support for pcapng.

If python is an option, look at python-pcapng or scapy.


(There are fields for pcap_pktdata, file-pcap and file-pcapng but I didn't have any luck displaying them with tshark.)
Chuckc gravatar imageChuckc (
    
        Apr 29 '1
    )
add a comment
 
 
 
 
  
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 

        
        
            1 follower
        
    
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Apr 29 '1  
 
 
        Seen: 1,407 times 
 

        Last updated: Apr 29 '21 
 
 
 
Related questions
 
 
 Deduplication in tshark -T ek [closed] 
 
 filtering out protocol, sequence number, and ack  using tshark 
 
 Using tshark filters to extract only interesting traffic from 12GB trace 
 
 Any way to use cmd tshark for a gns3 wire? 
 
 authority RRs tshark 
 
 can I install only tshark? 
 
 How do I change the interface on Tshark? 
 
 Tshark TCP stream assembly 
 
 Tshark output file problem, saving to csv or txt 
 
 How to convert Pcapng file to pcap file by Tshark