Wireshark-users: Re: [Wireshark-users] saving traces as simple ASCII file

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 31 Oct 2009 00:48:29 -0700

On Oct 30, 2009, at 8:45 PM, Edward Peschko wrote:

I'm trying to work with wireshark, and was wondering exactly how you
save a trace as a simple text file, ie: a textual representation of
what you see with the wireshark GUI app, along with an ASCII
representation of the packets being transferred.

Looking at the file types that you can save, I don't see anything
remotely like this. What am I missing?

The fact that

1) "saving" generally means "saving with no (or little) information loss", and saving a text version of the packet isn't that

and

	2) that might be called "printing" or "exporting"?

Try Export -> as Plain Text File... instead.

But what do you mean by "ASCII representation of the packets being transferred"? The only ASCII representations we offer are

1) the summary line - which you see with the Wireshark GUI app, in the packet list (the topmost pane, by default);

2) the detailed dissection - which you see with the Wireshark GUI app, in the packet detail (the middle pane, by default);

3) the hex dump of the raw packet data - which you see with the Wireshark GUI app, in the hex dump (the bottommost pane, by default);

so there's no ASCII representation that you *don't* "see with the Wireshark GUI app". The Export -> as Plain Text File dialog lets you choose which of 1), 2), or 3) you want to see (you can see more than one of them in the resulting text file - "Packet summary line", "Packet details", and "Packet bytes").

ps - how do you filter packets by an ascii string, again, without
regard to either the metadata or the contents of the packets?

A filter that takes into account neither the metadata nor the contents of the packet cannot exist - everything you see in the display comes either from the metadata or the contents.

You can filter on the raw contents of the packet containing a particular ASCII string with, for example:

	frame contains "ab"

which will show all frames that have an "a" followed by a "b". There is, as far as I know, no way to match all frames where the Info column, or the dissection, contains a particular string (there is no inherent reason for that, as the "Find" operation can find packets of that sort; there's just no pseudo-field in display filters corresponding to the Info column or to the packet details).