This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Printing tcp payload using tshark -T fields?

0

Hi all,

I'm trying to print out the first 20 TCP payload bytes in tshark, but I want to print out several other fields so that I can pass the result to an analysis program I'm writing. Easiest way for me to parse the data is CSV, so I'm using tshark in -T fields mode with -E separator=,

So I have additional options such as -e tcp.srcport -e tcp.stream -e tcp.flags.syn and so on. But as the last field, I can't find how to output the first 20 TCP payload bytes. I tried something like -e frame[54-73] but that didn't print anything out, neither did -e tcp[20-39] nor -e ip[54-73].

Any ideas?

Thanks,

--Rob

asked 04 Apr '11, 09:13

RobB's gravatar image

RobB
1111
accept rate: 0%

I should also mention that -e data doesn't work: for TCP packets, it prints out nothing (even though I know there is data in there), and it only seems to print out data for things like IP fragments.

(04 Apr '11, 09:23) RobB

One Answer:

1

Starting with Wireshark 1.4.5, available from the main download page, or with any development release starting from r36629, available from the automated download area, the TCP segment data is now filterable with "tcp.data". Unfortunately, you still won't be able to limit the amount of data with something like "tcp.data[0:20]".

answered 16 Apr '11, 13:14

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%