Menu
I have a custom protocol that runs on port 8888 (no, it's not http) and on top of TCP. I've captured the flow of packets into the PCAP file. The problem is that now I cannot display just the data portion of it.
I've tried with the following command:
tshark -r test.pcap -R 'tcp.port==8888 && tcp.len>0' -T fields -e "tcp.data"
But it displays an empty strings. Isn't the tcp.data field the one that holds the data of the TCP packet?
How can I display only the data that I need?
952
There is "Analyze/Follow TCP stream" functionality in Wireshark.
Just select TCP packet from the packet list and then "Follow TCP stream".... and Wireshark displays the TCP conversation of the selected connection.
EDIT:
tcp.data does not exist. Use data.data instead:
tshark -r mon.pcap -R "(tcp.port == 8888) && (tcp.len > 0)" -T fields -e data.data
If wireshark knows the protocol which uses the port (8888), then the previous won't work. But the following trick works:
tshark -r mon.pcap -R "(tcp.port == 8888) && (tcp.len > 0)" -T fields -d tcp.port==8888,echo -e echo.data
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
