Extract and concat packet bytes from multiple streams

asked 2022-10-21 22:35:57 +0000

g2lb

I need to extract and merge packet bytes from ~3,000 separate packets. Each packet is part of a separate UDP stream. Export Packet Bytes lets me get the bytes from a single packet, but I need to extract and concat all the bytes from the multiple packets. I have a filter displaying only the packets of interest in sequential order.

tshark -r "filename" -T fields -e udp.payload -Y "display filter"

Do you have a test case to verify the extraction is working?
Is this a common task or a one off? CyberChef can be handy for finessing the hex data.

Chuckc

answered 2022-10-22 18:47:51 +0000

Jasper

After a nudge from @Chuckc I spent an hour to create a small Win64 command line tool that should do what you need. All you need to do is to export your UDP packets of interest to a single pcapng file, and run UDPayloadCarve yourfilename.pcapng(yes, only one P in the name, for the fun of it :)). It will result in a new file in the same directory called "UDPPayloadMerged.bin". You can get that tool here:

Hope this helps.

Another possible solution as provided by @pstavirs?

tshark -r sample-udp-test.pcap -T fields -e udp.payload -Y "display filter | xxd -r -p - out.dat
cmaynard

