How do I display udp data for all UDP frames (with tshark or any other command line tool)?
I have tryed this:
$tshark -r myfile.pcap -T fields -e data
... but it only works for udp frames that don't decode udp data as some other protocol.
Is there something like "-e udp.data"?
Or is there a way to say "decode all udp (or udp.dstport==<port>) as raw udp", so that "-e data" will work?
For example, I have 2 UDP frames below and "-e data" and I am not able to extract udp data for the second frame:
1 0.000000 172.18.10.21 -> 172.18.10.255 UDP Source port: 1105 Destination port: 51020
0000 ff ff ff ff ff ff 00 02 b3 ec b7 71 08 00 45 00 ...........q..E.
0010 00 24 05 97 00 00 40 11 07 fa ac 12 0a 15 ac 12 .$....@.........
0020 0a ff 04 51 c7 4c 00 10 52 99 00 02 00 02 00 00 ...Q.L..R.......
0030 74 5a 00 00 00 00 00 00 00 00 00 00 tZ..........
2 0.085200 172.18.10.2 -> 224.0.0.2 HSRP Hello (state Active)
0000 01 00 5e 00 00 02 00 00 0c 07 ac 01 08 00 45 c0 ..^...........E.
0010 00 4e 00 00 00 00 01 11 22 c9 ac 12 0a 02 e0 00 .N......".......
0020 00 02 07 c1 07 c1 00 3a 48 9a 00 00 10 03 0a 69 .......:H......i
0030 01 00 00 00 00 00 00 00 00 00 ac 12 0a 01 04 1c ................
0040 01 00 00 00 ac 12 0a 02 00 00 00 00 40 2e af 40 ............@..@
0050 aa bb 9b 32 08 a8 a8 e8 13 7e 8a 2a ...2.....~.*
Thanks for your answer.
regards,
Zoran