TShark Command Script to Read/Output all Good UDP Packets
I've recently gotten into the world of using TShark to acquire PCAPs. I once upon a time strictly used Wireshark and did it all manually. But I had created a parser that could dig through Wireshark PCAPs and output all the data. But now I'm seeing that my parser is insufficient to read TShark PCAPs due to some confusing stuff regarding the header. Then I saw that TShark has a -R/-r command that I guess can read back the file. But seemingly only the #of packets and their packet size.
What would be the appropriate command line combination to dump all (and ONLY) the good UDP raw data? Either into a file or into the command prompt (probably preferably a file). I was trying to read up on this and unfortunately, my dyslexia kicks in (My reading comprehension scores were garbage growing up).
Please and thank you!
Can you clarify what "good UDP" is?
I guess I mean that I occasionally see DNS "Format errors" throughout a UDP PCAP. So how do I also ignore those in my data dump?
You want to exclude DNS response with a response code (2.3 RCODE Assignment) of 1 Format error - The name server was unable to interpret the query.?
I think the more I think about this - the more I'm not entirely sure I know what I want. Cuz dumping all the raw UDP to a file would leave me with questions on when packets start and stop.
Maybe a better question would be - when using TShark, is it possible to only capture UDP and that's it? I'm seeing TCP due to my telnet session intermixed in there.