Export Wireshark Packet comments

asked 2022-04-01 14:44:29 +0000

Is there a way to export a wireshark packet comment? I see no bytes associated with them, so I assume it isnt possible? I also can't seem to access the packet comment layer outside of wireshark either. This would be a very handy feature to help with data tagging. Thanks

EDIT: I see you can add comments with tshark/editcap. I did find out you can export it if you make it a column header, and export the dissections as csv. Just was wondering if there is another way.

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2022-04-04 19:31:37 +0000

SYN-bit

18528 ●9 ●338 ●255 https://SYN-b.it

You can use tshark to export the comments:

$ tshark -nl -r ~/Wireshark/TCP-QA/TCP-QA-001.pcapng -Y frame.comment -T fields -e frame.number -e frame.comment
55  [20200406 Sake 3.2.2]\nThis frame is correctly marked as "out-of-order"
61  [20200405 Sake 3.2.2] ERROR\nThis should be marked as "out-of-order" as the per the ip.id it was sent after frame 55\n\nAlso, as the iRTT is ~150ms this frame could not have been a fast-retransmission as the DUP-ACKs have not reached the server yet.\n\nAlso, there have not been 3 DUP-ACKs for 49820 yet\n
[...]
$

In a comment above you mention pyshark. I'm not familiar with pyshark, so I don't know about it's capabilities. As packet comments are special blocks in a pcapng file, you will need to look for tools that are able to read those blocks. As @Guy Harris already mentions, a lot of tools just access the packets without accessing the extra information blocks in a pcanng file. So maybe using tshark is your best bet...

edit flag offensive delete link

Comments

As packet comments are special blocks in a pcapng file,

Options, not blocks. A packet comment is an option in a packet block (Enhanced Packet Block or the deprecated Packet Block); they're not separate blocks.

So what's needed is code that reads pcapng files and understands comment options in blocks, so that it provides the contents of those options to the user.

Guy Harris ( 2022-04-04 20:48:03 +0000 )edit

add a comment

answered 2022-04-01 19:45:58 +0000

Guy Harris
19890 ●3 ●659 ●207

updated 2022-04-02 02:35:56 +0000

I also can't seem to access the packet comment layer outside of wireshark either.

"Outside of Wireshark" in what sense?

If you mean "outside the Wireshark application", then TShark, which is part of the Wireshark release but is a separate program from the Wireshark application (although it's build atop the same file reading and packet dissection libraries that Wireshark is), can display them. tshark -V will display them, and, as comments for a frame are shown as the named field frame.comment, you can use tshark -T fields -e to display them, and they also show up in tshark -T pdml, tshark -T json, and tshark -T ek output.

If you mean "outside the Wireshark release", I don't know what non-Wireshark software directly understands pcapng (rather than just using standard libpcap - which can read some pcapng files, but just supplies its packets with the same API it uses for pcap, and thus throws away additional information such as comments) and displays comments.

edit flag offensive delete link

Comments

Hello, thank you for the reply. By "outside of wireshark" I guess I meant accessing the comments via hex. Are there any hex bits/bytes associated with the wireshark comments text (similar to how other fields are). Or for example, I was trying to access the wireshark comments layer with pyshark but I could not. Thanks.

tigerx51v ( 2022-04-04 12:45:20 +0000 )edit

add a comment