This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

exporting payload data in binary file

1

Hi,

I have successfully created a filter and captured the packets I need. I have looked at the various save and export options in Wireshark, and fail to find an option to save only the payload data in a binary file without any file headers or formatting.

Is this possible in Wireshark, or do I need to create some sort of script to do this?

Thanks in advance for any replies.

asked 10 Aug '14, 01:36

yulquen's gravatar image

yulquen
26113
accept rate: 0%


One Answer:

0

Is this possible in Wireshark, or do I need to create some sort of script to do this?

Wireshark

Scripting:

tshark examples:

http://ask.wireshark.org/questions/23827/get-tcp-and-udp-payloads-with-tshark
http://ask.wireshark.org/questions/15374/dump-raw-packet-data-field-only
run tshark -nr input.pcap -Vx and then parse the output

Lua Examples:

http://wiki.wireshark.org/Lua/Examples
http://wiki.wireshark.org/Lua/Taps

Regards
Kurt

answered 10 Aug '14, 06:24

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Aug '14, 06:25

Follow TCP stream seems to be the easiest solution, but there seems to be a limitation.

When I select the first packet and Follow TCP stream, only a small part of the data is available (about 204KB of 16MB's of data capture). Saving as raw gives me the payload data I wanted, but only a small fraction of the whole data set.

(10 Aug '14, 13:14) yulquen

did you limit the frame size during the capture phase?

Please check if bytes on wire and bytes captured (Frame layer) are identical.

(10 Aug '14, 14:09) Kurt Knochner ♦

They are the same (1514 bytes).

My capture have 10881 packets. If I select a "Follow TCP stream" the dropdown says "Entire conversation (204400 bytes)" and when I do a raw save, thats how big my file gets.

TCP segment length is 1460 so it amounts to payload from exactly 140 packets instead of 10881.

(10 Aug '14, 14:32) yulquen

hm.. could be a bug. What is your

  • OS and OS version
  • Wireshark version
(10 Aug '14, 14:53) Kurt Knochner ♦
  • win7 pro 64bit sp1
  • wireshark Version 1.12.0 (v1.12.0-0-g4fab41a from master-1.12)
(11 Aug '14, 00:39) yulquen

can you please try version 1.10.9?

(11 Aug '14, 02:44) Kurt Knochner ♦

done, same result.

(11 Aug '14, 03:18) yulquen

well, then it's probably related to your capture file. Is there any special protocol on top of TCP that Wireshark 'detetcs', like SMTP, HTTP, etc.?

(11 Aug '14, 04:11) Kurt Knochner ♦

The packet details only lists Ethernet II, IP V4 and TCP for all packets.

If I disable all other protocols, theres an additional listing for data (1460 bytes). But even so, selecting "Follow TCP stream", it still says 204400 bytes in total. Looking av the raw export file in a hex-viewer, it is clear that Wireshark just exports the payload from the 140 first frames, and leaves the rest of them out .

(11 Aug '14, 04:43) yulquen

it is clear that Wireshark just exports the payload from the 140 first frames, and leaves the rest of them out .

hm... sounds like a bug. Please file a bug report at https://bugs.wireshark.org and add a reference to this question. Please add as much information as possible, e.g. a smaller capture file that helps to reproduce the problem.

(11 Aug '14, 05:34) Kurt Knochner ♦
showing 5 of 10 show 5 more comments