Wireshark-users: Re: [Wireshark-users] how to grab printable text from entireTCP stream

From: "Jim Young" <sysjhy@xxxxxxxxxxxxxxx>
Date: Sat, 10 Jan 2009 20:15:02 -0500

Hello TC,

>>> <j.snelders@xxxxxxxxxx> 1/10/2009 3:04 PM >>>
>>On Fri, 9 Jan 2009 15:01:01 -0800 (PST) T c wrote:
>>Bah! I thought that might work...but alas, not quite as I actually need the
>>info in the Hex pane (sorry forgot to mention)...this only gave me summarized
>>info of the "middle" pane. And I am specifically looking to pull out the
>>actual data, not just the packet headers, etc...
>
>Did you deselect Packet Format -> Packet Details?
>Just select Packet Format -> Packet Bytes.
>The output is a hexdump: offset, hex and ASCII.
>AFAIK there are no options just to save the ASCII characters.

The "text" contained in your TCP stream is obviously 
encoded in some multi-byte text form.  

Here's a trick I've used on Windows platform.   Save a 
"Raw"[1] version of the "Follow TCP Stream" data out to 
a file.  Then open up a Windows cmd.exe shell.   In the 
cmd shell use the "type" command to make a "cooked" 
copy of the original raw stream data: e.g.

   C:\> type follow_tcp_stream.raw >follow_tcp_stream.cooked

If you're lucky the new "follow_tcp_stream.cooked" file
will have a simplified version of ASCII characters from the
original version of the file.

[1] You must be in "Raw" mode and NOT "ASCII" when you
do the "Save As".  If you choose "Save As" while in "ASCII" 
mode any unprintable characters will simply be replaced with 
an ASCII "." (period) character (basically what you see in the
"Steam Content" window).  When you choose "Save As" while 
in "Raw" the actual multibyte character data will be saved to 
the file.   The presence of the entire multibyte character MAY allow
for the ASCII simplification by using the cmd shell trick 
"type filename >newfile".

I hope this helps.

Jim Y.