Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

tshark packet data not displaying

Hi everyone,

I'm running into a weird problem with tshark. The scenario is I'm using ettercap on a Raspberry Pi to perform a man in the middle attack and look at all the traffic between two devices.

When I send messages with the Raspberry Pi to one of the devices, I can use the command

sudo tshark -Y "ip.src == 192.92.92.200" -T fields -e data

to print the hex contents of the packets I'm sending (where 192.92.92.200 is the address of the Pi). However, when I do the same with the address of one of the devices I'm ARP spoofing, no data is printed to the screen. However, whenever a packet is received, a blank line is printed to the screen. If I simply run

sudo tshark

all of the traffic in the network, including the packets being sent between the two devices I am ARP spoofing, are shown (though of course this command doesn't print the actual contents of the packets, which is what I'm looking for). So if tshark can see the packets being sent between the two devices, and if the contents of the packets can be printed in the case that it is sent from the Raspberry Pi, why can't I print the contents of the messages being sent from the devices I'm ARP spoofing?

tshark packet data not displaying

Hi everyone,

I'm running into a weird problem with tshark. The scenario is I'm using ettercap on a Raspberry Pi to perform a man in the middle attack and look at all the traffic between two devices.

When I send messages with the Raspberry Pi to one of the devices, I can use the command

sudo tshark -Y "ip.src == 192.92.92.200" -T fields -e data

to print the hex contents of the packets I'm sending (where 192.92.92.200 is the address of the Pi). However, when I do the same with the address of one of the devices I'm ARP spoofing, no data is printed to the screen. However, whenever a packet is received, a blank line is printed to the screen. If I simply run

sudo tshark

all of the traffic in the network, including the packets being sent between the two devices I am ARP spoofing, are shown (though of course this command doesn't print the actual contents of the packets, which is what I'm looking for). So if tshark can see the packets being sent between the two devices, and if the contents of the packets can be printed in the case that it is sent from the Raspberry Pi, why can't I print the contents of the messages being sent from the devices I'm ARP spoofing?

Update with more details:

I tried adding more -e fields to see what would happen. When I ran the command

sudo tshark -o data.show_as_text:TRUE -Y "ip.dst == 192.92.92.108" -T fields -e frame.time -e data -e ip.src

Everything was printed in this format:

June 30, 2018 23:34:54.359272718 UTC 192.92.92.107

The part where the data is expected is completely blank, but tshark clearly can see and read those packets.

tshark packet data not displaying

Hi everyone,

I'm running into a weird problem with tshark. The scenario is I'm using ettercap on a Raspberry Pi to perform a man in the middle attack and look at all the traffic between two devices.

When I send messages with the Raspberry Pi to one of the devices, I can use the command

sudo tshark -Y "ip.src == 192.92.92.200" -T fields -e data

to print the hex contents of the packets I'm sending (where 192.92.92.200 is the address of the Pi). However, when I do the same with the address of one of the devices I'm ARP spoofing, no data is printed to the screen. However, whenever a packet is received, a blank line is printed to the screen. If I simply run

sudo tshark

all of the traffic in the network, including the packets being sent between the two devices I am ARP spoofing, are shown (though of course this command doesn't print the actual contents of the packets, which is what I'm looking for). So if tshark can see the packets being sent between the two devices, and if the contents of the packets can be printed in the case that it is sent from the Raspberry Pi, why can't I print the contents of the messages being sent from the devices I'm ARP spoofing?

Update with more details:

I tried adding more -e fields to see what would happen. When I ran the command

sudo tshark -o data.show_as_text:TRUE -Y "ip.dst == 192.92.92.108" -T fields -e frame.time -e data -e ip.src

Everything was printed in this format:

June 30, 2018 23:34:54.359272718 UTC 192.92.92.107

The part where the data is expected is completely blank, but tshark clearly can see and read those packets. Also, if I open up Wireshark instead of tshark, I can see the contents of the data packets.