Re: Extracting payload from ethernet dumps

[Sake Blok <sake () euronet nl>]

On 27 sep 2010, at 16:49, Simon Greifswald wrote:

> I have several gigabytes of dumped network traffic in files, and I need to 
> extract the payload from each packet. So, I want to discard all link layer, 
> internet layer, transport layer headers and only extract the udp packet's 
> payload in a new file.

For TCP you can use "tcpflow":

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way 
that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the 
wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the 
actual data streams and stores each flow in a separate file for later analysis.

(http://www.circlemud.org/~jelson/software/tcpflow/)


This does of course not work for UDP, but putting UDP payloads together from a trace that contains one "conversation" 
can be done easily with the script attached to the following message:

http://www.wireshark.org/lists/wireshark-users/200611/msg00133.html


Hope this helps,
Cheers,


Sake



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe