Ask Your Question

Get UDP payload live for all ports [closed]

asked 2022-01-09 10:34:12 +0000

PaavoV gravatar image

Hello, I'm trying to live capture all UDP packets payloads however it seems to be working only for non-standard ports while it doesnt show any payload for the well-know ones:

tshark -n -f "udp" -T fields -e ip.src -e udp.dstport -e data

Example output:

Capturing on 'eth0'

185.31.x.x 600 746573740a

185.31.x.x 500 746573740a

185.31.x.x 53

185.31.x.x 389

185.31.x.x 123

-n option is not helping. Any idea?

Thank you!

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by PaavoV
close date 2022-01-09 20:58:28.134699

1 Answer

Sort by ยป oldest newest most voted

answered 2022-01-09 17:30:03 +0000

Chuckc gravatar image

image description

Create a profile with only ethernet, IPv4 and UDP protocols enabled Analyze -> Enabled Protocols... then run tshark with it:

The-Ultimate-PCAP$ tshark -r ultpcap2.pcapng -C UDP_and_below -T fields -e ip.src -e udp.dstport -e data -Y udp 67      01010600ecd8ce24000000000000000000000000000000000000000000216a2d3b8e000000000000000000000000000000000
0000000000000000000000000000000   53      b89f010000010000000000000568656973650264650000010001     56606   b89f818000010001000000000568656973650264650000010001c00c000100010000002e0004c1639050   53      d7fa01000001000000000000023830033134340239390331393307696e2d61646472046172706100000c0001     41635   d7fa81800001000100000000023830033134340239390331393307696e2d61646472046172706100000c0001c00c0
00c00010000ba3100150a72656469726563746f7205686569736502646500   53      fb5a01000001000000000000023830033134340239390331393307696e2d61646472046172706100000c0001     39208   fb5a81800001000100000000023830033134340239390331393307696e2d61646472046172706100000c0001c00c0

(XXX - The IP Option protocols came along even though the first step was to Disable All. Working as intended?)

edit flag offensive delete link more


Actually i'm on CLI only, any way to do it by the command itself? And also i need it live and not from dumped traffic.


PaavoV gravatar imagePaavoV ( 2022-01-09 18:30:08 +0000 )edit

Actually i saw around it is not possible to select disabled protocols by CLI options therefore a file under $HOME/.wireshark/disabled_protos must be created. The solution the actually works.

Thank for your help!

PaavoV gravatar imagePaavoV ( 2022-01-09 20:39:12 +0000 )edit

Potential cleanup of Enabled/Disabled Protocols: 17863 - Qt: display PINO as child of parent protocol

Chuckc gravatar imageChuckc ( 2022-01-10 17:56:22 +0000 )edit

Question Tools

1 follower


Asked: 2022-01-09 10:30:03 +0000

Seen: 67 times

Last updated: Jan 09