Ask Your Question
0

Get UDP payload live for all ports [closed]

asked 2022-01-09 10:34:12 +0000

PaavoV gravatar image

Hello, I'm trying to live capture all UDP packets payloads however it seems to be working only for non-standard ports while it doesnt show any payload for the well-know ones:

tshark -n -f "udp" -T fields -e ip.src -e udp.dstport -e data

Example output:

Capturing on 'eth0'

185.31.x.x 600 746573740a

185.31.x.x 500 746573740a

185.31.x.x 53

185.31.x.x 389

185.31.x.x 123

-n option is not helping. Any idea?

Thank you!

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by PaavoV
close date 2022-01-09 20:58:28.134699

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-01-09 17:30:03 +0000

Chuckc gravatar image

image description

Create a profile with only ethernet, IPv4 and UDP protocols enabled Analyze -> Enabled Protocols... then run tshark with it:

The-Ultimate-PCAP$ tshark -r ultpcap2.pcapng -C UDP_and_below -T fields -e ip.src -e udp.dstport -e data -Y udp
0.0.0.0 67      01010600ecd8ce24000000000000000000000000000000000000000000216a2d3b8e000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000638253633501010c0c4d6963726f6b6e6f707069783712011c02030f06770c2c2f1a792a79f921fc2aff0000000000000
0000000000000000000000000000000
192.168.2.102   53      b89f010000010000000000000568656973650264650000010001
192.168.2.1     56606   b89f818000010001000000000568656973650264650000010001c00c000100010000002e0004c1639050
192.168.2.102   53      d7fa01000001000000000000023830033134340239390331393307696e2d61646472046172706100000c0001
192.168.2.1     41635   d7fa81800001000100000000023830033134340239390331393307696e2d61646472046172706100000c0001c00c0
00c00010000ba3100150a72656469726563746f7205686569736502646500
192.168.2.102   53      fb5a01000001000000000000023830033134340239390331393307696e2d61646472046172706100000c0001
192.168.2.1     39208   fb5a81800001000100000000023830033134340239390331393307696e2d61646472046172706100000c0001c00c0
00c00010000ba3000150a72656469726563746f7205686569736502646500

(XXX - The IP Option protocols came along even though the first step was to Disable All. Working as intended?)

edit flag offensive delete link more

Comments

Actually i'm on CLI only, any way to do it by the command itself? And also i need it live and not from dumped traffic.

Thanks!

PaavoV gravatar imagePaavoV ( 2022-01-09 18:30:08 +0000 )edit

Actually i saw around it is not possible to select disabled protocols by CLI options therefore a file under $HOME/.wireshark/disabled_protos must be created. The solution the actually works.

Thank for your help!

PaavoV gravatar imagePaavoV ( 2022-01-09 20:39:12 +0000 )edit

Potential cleanup of Enabled/Disabled Protocols: 17863 - Qt: display PINO as child of parent protocol

Chuckc gravatar imageChuckc ( 2022-01-10 17:56:22 +0000 )edit

Question Tools

1 follower

Stats

Asked: 2022-01-09 10:30:03 +0000

Seen: 171 times

Last updated: Jan 09 '22