Formatting TShark payload output with timestamp

tshark
bash

asked 2022-02-14 16:07:00 +0000

Dani
1 ●1

updated 2022-02-14 16:32:48 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

Currently I'm outputting the ascii payload of tshark filtered packets:

tshark -i ens224 -l -T fields -e data host 192.168.1.123 and dst port 3423 | xargs -n1 -I{} echo "{}0d0a" | xxd -r -p -

where xxd is being used to convert the hex data in the data field to ascii.

  tshark  
    -i interface name  
    -f host filter for local broadcast  
    -l flush stdout after each packet    
    -T fields output fields specified by -e   
    -e data   tshark will only output undissected data in packets  

  xargs  
    -n1 trigger on one recieved cmd line arg  
    -i{} use {} for substitution in echo command  
    "{}0d0a"  add crlf to hex string data from packet to flush stdout in xxd  
    echo use echo to aggregate hex data with crlf and pipe to xxd  

  xxd  
    -r reverse hex to ascii  
    -p plain text output  
    -  take input from stdin

The output looks something like:

1 Data in packet
7 Data in another packet

I'd like to prepend that with the capture time.

1 15:20:32 Data in packet
7 15:23:01 Data in another packet

How do I do that?

edit retag flag offensive close merge delete

add a comment

Comments

Thank you. that was really helpful

Dani ( 2022-02-14 20:17:19 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Formatting TShark payload output with timestamp

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Formatting TShark payload output with timestamp edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Formatting TShark payload output with timestamp