Wireshark-users: Re: [Wireshark-users] use tshark to search for hex or ASCII string in packet?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 10 Jan 2008 16:29:46 +0100
On Thu, Jan 10, 2008 at 03:05:19PM +0100, Marc Luethi wrote:
> On Wed, 2008-01-09 at 16:02 -0700, Stephen Fisher wrote:
> > On Wed, Jan 09, 2008 at 11:45:33PM +0100, Marc Luethi wrote:
> > 
> > > tshark -r file.pcap -T fields -e data
> > > 
> > > This yields to output in hex, which I could cope with, but it lacks 
> > > the timestamp.
> > 
> > You could add -e frame.time to get the frame's arrival time also
> 
> That's great! Thanks a lot!
> 
> Now I still wonder if I could get ASCII-output of the data field instead
> of hex? I mean ASCII in the same way as it interpreted when using -V or
> -x.
> 
> I said I could cope with Hex, but it's another layer of complexity,
> since I'll get the data strings to search for as ASCII, and it could
> save us one conversion step.

How'bout:

tshark -r <capture-file> -T fields -e frame.time -e data |\
 grep `echo -n "<ascii-string>" | xxd -p` |\
 cut -f 1

Hex-conversion on the fly and resulting in only the timestamps ;-)

Cheers,
    Sake