Wireshark-users: [Wireshark-users] Printing the TCP payload with tshark
From: Nicholas Piper <nick-wireshark@xxxxxxxxxxxxxxx>
Date: Mon, 10 Mar 2008 23:56:15 +0000
Dear list,

I currently am using the following:

tshark -R "tcp.port == 80 and ip.addr == 123.123.123.123 and not
 tcp.analysis.retransmission" -r capture.pcap -T fields -E
 quote=s -E header=y -e frame.number -e ip.len -e tcp.len -e ip.src -e
 http.request.uri -E separator="," 

I'd like to include an ASCII representation of the TCP payload (just
the first 30 bytes) on each line too, so that I can visually spot the
HTTP traffic, and see parts of the response.

Is that possible?

I'm using tshark 0.99.6rel-5.

Much thanks,

 Nick