Hi All, I hope that you can help me to resolve a small issue. While using export feature of Wireshark 1.05 -> Export Specified Packets -> K12 text file (*.txt, txt.gz) I obtained a file with non human Readable content (sample attacked bellow). I hope that you can help me to find a way to export the Wireshark capture (layers 2-7) to a text / csv readable file. Thank you 23:56:37,686,606 ETHER |0 |00|16|46|a2|e3|26|00|0c|29|31|42|25|08|00|45|00|05|d2|59|d7|40|00|80|06|7c|4a|0a|00|00|05|45|5c|cf|a3|16|8d|c0|52|c9|70|10|d5|6e|e5|23|4a|50|10|f8|2f|ac|dd|00|00|a4|df|a6|4b|1d|61|73|ef|2c|ce|6a|e0|e1|8a|f6|8d|84|e2|bc|f6|1b|35|22|d0|c6|fa|bd|fe|80|02|d4|03|3e|70|3c|a9|18|23|86|c7|56|b6|5c|ab|48|47|3a|81|b3|ef|cf|f9|95|39|14|45|2b|97|e9|87|9c|27|da|25|0f|19|a7|67|c6|67|35|7a|fa|df|48|59|41|67|91|72|93|94|0e|d2|49|78|dc|b7|9f|fb|18|a0|80|28|24|dd|ec|57|99|28|31|40|c0|e3|0d|2f|a9|0e|f8|f5|1e|09|c4|40|63|58|14|f3|63|94|91|bc|54|17|0a|84|1e|b2|c7|96|17|e9|e9|ba|0d|27|3a|a6|05|a1|66|d2|ff|10|9e|83|60|2e|4f|36|ec|13|4c|2a|f8|f6|8d|69|05|9f|cb|11|c2|c6|50|e0|4f|1b|11|8e|3c|59|13|e2|18|fe|59|d2|79|1a|d3|2f|31|b2|af|23|d6|d3|7c|22|97|2f|c6|3e|df|ec|9f|20|92|78|cd|40|63|3e|cb|05|c1|93|de|d5|c6|8a|0e|c6|3c|f1|7b|fc|7a|0b|cc|86|80|35|ec|8d|7f|1d|e2|ac|e5|18|4b|a0|ff|c7|a3|5d|04|41|99|db|3d|ff|58|1e|9a|61|3f|1f|9a|8e|a6|f9|ca|be|ea|26|b0|ba|dd|36|7c|e9|e4|82|09|84|40|42|3f|70|3b|60|9b|c4|27|15|55|33|fb|ef|73|40|04|5b|25|41|17|81|c2|f8|5b|27|69|9f|c5|53|4b|98|ea|c6|ef|25|0a|46|60|4e|84|c8|9d|25|53|a4|dc|11|0e|e7|44|1b|ca|58|44|d3|d4|ea|37|b1|20|cd|29|08|d7|3f|bd|22|ed|04|f8|26|aa|b1|17|8e|1d|d0|08|29|a6|e8|67|37|9e|e3|59|51|6b|3f|ce|e5|92|7f|d1|bb|71|c6|af|51|09|c5|2c|00|90|b8|4b|18|9e|63|f8|a3|b1|72|fe|09|ee|3e|00|b6|fa|80|43|40|93|66|cb|cb|f6|80|99|83|d0|d1|7e|7d|5c|3a|42|f7|33|e4|d2|6a|f0|8f|81|8f|35|ac|b1|be|70|07|a9|a9|7f|eb|d8|34|b0|b2|6f|55|bf|f3|a3|d5|9d|65|8b|db|1d|2e|db|54|6d|e9|21|a4|a9|5b|74|0d|a9|db|20|0b|cc|9a|50|64|18|91|d6|16|87|a4|40|e8|dc|10|cf|64|9f|10|50|7e|8a|4a|6a|b3|d4|e5|cb|ec|24|bb|d2|c4|75|da|e4|a0|a4|ae|e9|ce|99|89|fa|b8|3e|78|2e|d3|b8|92|ce|e3|c8|74|3e|52|e6|9b|93|ad|41|d4|d7|a1|18|18|1b|a3|ee|24|68|7f|c9|08|f7|5f|c7|cb|98|8a|5c|14|61|b7|4e|30|09|28|ee|ee|a4|a5|68|d1|31|82|96|3d|de|fc|fb|e3|9f|6f|62|dc|be|eb|c1|4d|9e|42|88|33|df|1b|bd|f5|9b|a3|91|28|6a|90|08|9d|3c|16|30|44|fd|56|a7|df|29|53|3e|c3|a5|d8|eb|ae|50|c8|f0|3d|31|5d|08|52|95|7c|0a|57|79|56|8e|28|2d|c4|2d|47|ce|e6|74|ae|e1|1a|e8|74|e2|7b|43|0f|5b|e4|ad|21|df|3e|57|35|51|7c|5d|6c|60|cd|71|b4|63|e6|09|54|d9|7e|13|a9|22|c4|3e|41|92|26|dc|1c|6f|dd|ce|34|26|86|f4|82|d2|25|35|b4|05|19|be|23|01|5d|e9|49|79|cb|56|3d|5f|d7|5d|6c|41|4b|bc|0e|1b|ea|01|0f|5b|4d|20|52|3d|c4|98|87|51|31|61|2f|54|5c|d6|a9|87|a0|35|39|91|df|1a|6e|ec|7c|3c|96|b1|84|e3|67|69|39|1f|82|ae|83|3a|4f|52|3f|bd|5c|f3|c3|85|ac|b3|d3|b0|61|c6|a6|bd|e6|91|98|18|bc|31|a7|a5|4c|dc|38|ef|76|e1|89|a5|46|ed|46|95|4f|83|c1|e7|20|6d|16|d2|20|7c|4f|a9|44|18|0d|76|90|95|4e|ab|4f|75|d3|88|50|f1|1c|bc|00|f1|4b|a2|4b|73|99|61|7f|7d|60|8b|fc|22|42|ed|23|0a|66|08|51|50|e9|27|54|6a|d4|60|96|62|43|f5|c6|75|6b|16|14|49|60|af|09|51|aa|9d|99|0e|e3|63|2a|0e|b0|8f|36|2b|6b|e3|3e|08|92|a9|9d|cf|f7|c2|25|69|7b|27|8b|d4|92|f8|a2|ba|37|d6|d4|58|79|99|44|83|b7|ca|7c|a3|91|ed|c9|04|31|0d|83|47|22|8d|d7|d4|8f|81|d3|db|cf|5e|d0|49|ba|84|04|04|f0|c2|47|a9|89|d2|f1|84|ba|8a|47|5d|63|37|8f|00|78|de|82|e7|85|3d|e6|d1|59|e2|c5|60|ef|f9|68|4e|1e|0a|c4|bd|c1|36|01|98|df|0e|a8|ec|20|8d|30|45|dd|24|3a|7c|42|7e|08|17|e9|20|93|15|f7|2b|3c|c6|db|4f|28|ab|58|2e|d9|9c|53|57|3a|cb|5e|06|f9|b4|e3|47|a2|3b|27|fe|a6|8c|08|12|8e|8c|b8|19|19|e9|64|9b|95|87|1d|80|e4|f7|11|d6|2c|32|7f|3d|d1|29|16|d8|9b|6b|b9|da|bc|03|1c|c1|90|e1|8a|86|dd|ca|15|94|20|6a|b3|7d|5f|32|ad|a2|84|18|67|e9|ac|72|c0|f6|65|26|7d|7b|ea|3c|29|fe|f9|db|b5|20|02|f2|6a|fc|e7|18|6c|31|cb|8d|a0|f1|8a|a4|55|04|f0|03|b3|aa|f4|b8|82|ae|e9|66|b0|10|5c|7b|15|87|26|4e|1a|d0|ee|c7|af|c6|9e|69|89|86|31|02|92|e8|13|7d|c5|c0|51|30|24|d8|67|35|f8|51|15|c2|6f|ce|d1|f2|89|d7|c6|50|10|31|f4|86|22|41|5c|f4|41|83|2f|c0|c8|17|ff|95|10|c4|7d|eb|12|39|fc|7e|25|ee|5d|14|64|a9|eb|7c|2a|44|07|02|c1|8d|78|ec|bf|d1|aa|97|1a|19|ce|56|29|91|76|a4|b1|db|85|44|f9|79|95|1e|e5|62|0f|00|8a|e1|56|02|e0|82|97|04|b6|81|30|35|95|69|44|d2|1c|7c|25|af|4e|7e|fe|27|74|01|06|b9|a6|b5|32|6f|77|32|b6|fb|42|fd|57|fe|9f|00|d5|25|0f|2a|df|e2|fc|67|28|c5|90|8a|eb|5a|e2|06|61|48|29|23|56|68|ef|bc|fa|4a|c8|28|a8|c1|5c|c4|73|68|20|8e|ad|d3|ac|cd|30|ff|63|48|3e|11|a5|22|f3|7f|d3|1d|87|49|f3|1c|56|1a|e2|69|b7|9d|f7|11|e0|e2|94|81|72|c2|a6|65|1d|88|3e|e8|61|4d|93|df|26|1d|e8|fd|2e|47|1e|25|f7|48|78|88|a4|46|f4|17|fa|37|41|ad|5c|ef|20|9b|df|f7|85|a0|b8|bf|77|fd|11|87|83|3b|da|60|51|7e|06|ce|dc|05|46|76|61|58|65|99|34|15|1f|c2|68|25|28|d4|77|a1|0f|96|b7|e9|c1|c8|57|b8|62|4b|44|c8|1b|fe|7a|60|31|21|51|6b|7e|bd|1e|45|89|88|b4|65|60|b2|0d|97|96|12|a3|57|41|54|0b|2d|06|cd|5f|82|e9|25|28|29|22|6f|24|56|65|a5|06|dd|dc|22|c4|b3|7a|31|09|44|33| +---------+---------------+--------- asked 24 Feb '14, 12:20  yuval14 |
One Answer:
Well, it's obviously human-readable, in that you read the text and said "what the heck is this?" :-) "Export Specified Packets" is for writing out trace files, largely in formats intended to be read by packet analyzer programs (such as tcpdump, Wireshark, Microsoft Network Monitor, etc.). Even the text forms there are largely to be read by programs such as Wireshark, not by people (well, non-highly-nerdy people, anyway; the K12 text format is produced by some network analyzers, but they largely just give raw packet data in hex). You probably want one of the options under "Export Packet Dissections", which writes out information either for humans to look at directly (as "Plain Text" file...) or for programs expecting text input to analyze (as "CSV" (Comma Separated Values packet summary) file, as XML ("PSML" - packet summary) file, as XML ("PDML" - packet detail) file). answered 24 Feb '14, 17:07  Guy Harris ♦♦ |
Hi, I tried also to use "Export Packet Dissections". However, while reviewing the output I couldn't find a common information (e.g. HTTP cookies, HTTP security headers. etc.)
Which format under "Export Packet Dissections" did you try?
HTTP cookies are in HTTP headers with the media types "Set-Cookie" and "Cookie". If you do a "Plain Text" they should show up IF the request or response actually included cookies. HTTP security headers should show up in the same fashion IF they're present.
Cookies should also show up as the "http.cookie" and "http.set_cookie" fields in XML ("PDML", not "PSML") output. Some other headers might show up in XML output as well.
The CSV output only shows packet summary information, so, if you want some field to show up in the CSV output from Wireshark, you'd have to make it into a custom column.