how to get entire raw packets by using the tshark?
I couldn't find a way to extract all raw packets from a PCAP file.
there is something like:
tshark -r file.pcap -T fields -e frame.number -e data
however, it doesn't return the entire packet.
it should be something like:
tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
however with only frame.raw output for each packet.
My desired out is (frame number and any format of the entire packets):
1 00a0c58fe3c7000c761c1b97080045000028939e40004006f9adc0a80121ccb21f08db2d023467a50f421c83f58350100993926d0000
2 08db2d023468fe3c7000c761c1b97080045000028939e40004006f9adc0a80121ccb21f08db2d023467a50f421c83f58350100993926d0000
....
It might help if you were a little more precise about what you want it to return. Can I assume that the hexdump output is not what you want because you not only don't want the ASCII (which can be turned off) but you also don't want the offset information before each line?
You want each packet to contain on one line, tab-separated, the frame number and the frame data, correct? Is it a problem if the hex bytes are separated with with a space or with a colon? (Producing the output that Chuck mentions and then post-processing it is also an option.)
@johnthacker, of course, it would work with the produced JSON and preprocessing afterward, however, one of the significant points in my case is the processing time... tshark by using -e filters returns very fast almost all you need except the raw frame which is important for me.