Ethereal-users: Re: [Ethereal-users] ASCII Dump?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 17 Nov 2005 10:48:01 -0800
Luke wrote:

On Nov 16, 2005, at 2:26 PM, Guy Harris wrote:
What I'm looking for is for the packet to be ASN.1 decoded (i.e., only show the decoded data), and just have all bytes of the packet dumped, using ASCII character code.
"Only show the decoded data" in what sense? Presumably "only show the decoded data" and "have all bytes of the packet dumped, using ASCII character code" are separate operations, as "only show {some subset of} the data" and "all bytes" are mutually exclusive.
Basically, if a kerberos packet comes in, I want to see the string "krbtgt" (and all the other stuff that goes with the packet) in the dump file, not octal bytes, ASN.1 formatting junk, etc.
What do you mean by "all the other stuff that goes with the packet"? The ASN.1 BER tag and length information are "stuff that goes with the packet", but they're not ASCII text. 

I.e., not "all the other stuff that goes with the packet" is ASCII.
Do you want only the bytes of the packet in the range 0x20 through 0x7f, i.e. the bytes that are printable ASCII characters?
Note that I also don't want any of the tethereal comments,
What do you mean by "tethereal comments"? What are examples of "tethereal comments"? 


dissection info, etc.


Again, what do you mean by "dissection info"?
Is this possible with Tethereal? Obviously, tethereal can do all this decoding, since I see it being done during the dissection, I just want to know if it's possible to just dump the decoded packet.
What do you mean by "decoded"? Presumably you don't mean the same thing as "dissected", because dissection is what produces all the stuff you don't want.
Do you mean that you want the decoded values of each field in the packet, printed in ASCII, but not the names of the field, e.g., instead of 

Frame 1 (60 bytes on wire, 60 bytes captured)
    Arrival Time: May 19, 1999 17:48:39.708517000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 60 bytes
    Capture Length: 60 bytes
    Protocols in frame: eth:arp
Ethernet II, Src: 00:01:02:03:04:05 (00:01:02:03:04:05), Dst: ff:ff:ff:ff:ff:ff 
    Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
    Source: 00:01:02:03:04:05 (00:01:02:03:04:05)
    Type: ARP (0x0806)
    Trailer: 000000000000000000000000000000000000
Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address: 00:01:02:03:04:05 (00:01:02:03:04:05)
    Sender IP address: 1.2.4.3 (1.2.4.3)
    Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)
    Target IP address: 1.2.4.255 (1.2.4.255)

you'd want

    ff:ff:ff:ff:ff:ff
    00:01:02:03:04:05
    0x0806
    0x0001
    0x0800
    6
    4
    0x0001
    00:01:02:03:04:05
    1.2.4.3
    00:00:00:00:00:00
    1.2.4.255