Wireshark-users: Re: [Wireshark-users] Exporting raw packet data?

From: Pete Fraser <pfraser@xxxxxxxxx>
Date: Mon, 13 Nov 2006 18:55:25 -0800
At 06:24 PM 11/13/2006, Guy Harris wrote:

On Nov 13, 2006, at 5:52 PM, Pete Fraser wrote:

> I want to export packet data in raw format, so that I end up with a
> binary file.

"Raw" in what sense?

In the sense that it's used in the Analyze->Follow TCP Stream dialogue.
That is, binary data; not an ASCII representation of HEX data.


And what part of the packet data do you want to export?

The payload.
Again, the Analyze->Follow TCP Stream capability seems to do exactly what I want (for TCP packets, but not UDP). I can select a TCP packet from a webcam, do a raw save with Analyze->Follow TCP Stream, and end up with a binary motion JPEG file that many viewers will play (after I remove some ASCII header material).


And do you want to export from one packet, or multiple packets?

Multiple packets. I think I can do it from one with File->Export->Selected Packet Bytes....


And, if it's multiple packets, to you just want to concatenate the
data, or do you want some sort of record format to keep the data from
different packets separated?

Concatenate.


> What I want to do, but can't work out how, is to export a lot of
> packet data as a raw binary file.
> I develop the appropriate filter so that only the packets of interest
> are visible, then do File->Export->File..., select "All packets",
> "Displayed", and "Packet Bytes" for the only Packet Format. I would
> hope that I can then save as raw, but I only find ASCII, PS, XML,
> etc. What am I doing wrong?

What you're doing wrong is assuming that Wireshark has such a
capability.

Sorry. It had the capability for TCP packets, so I assumed the same for UDP.
I can write some code to take the text output from the File->Export->File.. process, and convert it to binary, but I thought that capability was probably in there alreadfy (it's such a great program).


In order to add such a capability, we first need to know what it would
do, hence the questions.


Thanks for considering it.

Pete