On Aug 22, 2011, at 3:06 PM, kahou lei wrote:
> Hi,
>
> Is there a way to display hex dump ONLY in tshark? Currently if I use -x option, it will display something like this:
>
> 0000 00 10 94 00 00 02 00 10 94 00 00 01 08 00 45 00 ..............E.
> 0010 00 6e 00 2c 00 00 ff 06 3a 05 c0 55 01 02 c0 00 .n.,....:..U....
> 0020 00 01 04 00 04 00 00 01 e2 40 00 03 94 47 50 10 [email protected].
> 0030 10 00 35 e5 00 00 00 00 00 00 00 00 00 00 00 00 ..5.............
> 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0060 00 00 00 00 00 00 00 00 d3 f7 31 d9 08 e3 6c 13 ..........1...l.
> 0070 ab 44 7e bd 30 4b 44 fd f6 c1 58 f0 ee d0 6f 8d .D~.0KD...X...o.
>
> I don't want the index number and the display out on the right most area. Is there a way I can only display the hex values in between?
There's no option to do that. You could look at piping to a script.
Do you want anything *other* than the hex dump? If not, then if you're doing a live capture or reading a pcap (or, with newer versions of libpcap, pcap-ng) file, you could write a program (which could be written in one of the scripting languages that supports libpcap) that reads the capture and just dumps out the raw packet data in hex.