Ask Your Question

Recording traffic while hiding payload

asked 2019-04-08 11:04:59 +0000

gidin gravatar image

Hi, i am new to Wireshark. Does Wireshark have a feature that hides the payload (e.g. after L4) of recorded traffic, but still allows me to know the packet size (i.e. truncation is not good enough). So maybe replacing the payload by 0xFF. The reason for asking is that i want to record traffic on my organization network for some research i am doing on traffic behavior, but i am not allowed by my IT department to see the payloads of the user's traffic.


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-04-08 14:25:58 +0000

SYN-bit gravatar image

Wireshark can be instructed to save X bytes of each packet by specifying a "snaplength". When doing so, it does record the original packet-length in the pcap(ng) header of the packet. In the resulting file, the frame.len will be the original packet length and frame.cap_len will be set to X when the packet was larger than X (and it will be set to the frame length if it was not truncated).

Please be aware that the headers up to L4 can be different in size, so you either have to set X to a bare minimum to not get any payload data (and you will loose some L4 header information on some packets) or you can set it so that it will always capture the full L4 headers, but then you do get some of the payload data.

I don't know of a tool that can do dynamic slicing based on the protocol while capturing. There are however tools that can slice after a certain layer when post processing the data, but that would not fit your requirement IMHO.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-04-08 11:04:59 +0000

Seen: 682 times

Last updated: Apr 08 '19