ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Hello my friends

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 24 Nov 2008 23:00:17 +0100
On Mon, Nov 24, 2008 at 11:39:29AM -0600, Temo Mac�as wrote:
> 
>    I can capture with -x the next capture format:
> 
>      1   0.000000 148.204.242.253 -> 255.255.255.255 UDP Source port: 17110 
>    Destination port: 17110
> 
>    0000  ff ff ff ff ff ff 00 0e a6 9a 5e 09 08 00 45 00   ..........^...E.
>    0010  00 50 ad a8 00 00 80 11 05 2b 94 cc f2 fd ff ff   .P.......+......
>    0020  ff ff 42 d6 42 d6 00 3c 31 b1 00 58 4d 43 01 00   ..B.B..<1..XMC..
>    0030  d2 49 00 00 00 00 00 00 00 00 20 00 f0 03 5b 53   .I........ ...[S
>    0040  45 53 5f 53 45 45 4b 5d 00 00 17 61 00 63 e7 04   ES_SEEK]...a.c..
>    0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00         ..............
> 
>    I will only use the headers of this capture, is there a way to capture
>    something like this with tshark instead the capture above? some kind of
>    filter?
> 
>      1   0.000000 148.204.242.253 -> 255.255.255.255 UDP Source port: 17110 
>    Destination port: 17110
> 
>    0000  ff ff ff ff ff ff 00 0e a6 9a 5e 09 08 00 45 00   ..........^...E.
>    0010  00 50 ad a8 00 00 80 11 05 2b 94 cc f2 fd ff ff   .P.......+......
>    0020  ff ff 42 d6 42 d6 00 3c 31 b1 00 58 4d 43 01 00   ..B.B..<1..XMC..
>    0030  d2 49 00 00 00 00
> 
>    I only need this  info, because i only want to capture the protocols info,
>    not the data.
> 
>    Did you get my point?

If I understand you correctly, you want to capture only the ethernet,
the IP and the UDP header and forget about the UDP payload.

If that is your goal, you can use the -s <len> option to capture only
<len> octets of each packet. If there are no IP options and no vlan tags
(just like in your example), you can use 14+20+8 = 42 for len. You can
do this when capturing the data. If you need to do this on a saved
tracefile, you can use editcap to perform the action (have a look at
http://www.lovemytool.com/blog/2008/09/sake_blok.html to see how you can
manipulate capture files).

You could also use bittwist to do the manipulation. This tool is
especially handy when there are some packets with vlan tags or ip
options as you can direct it to save data "up to" a protocol.

Hope this helps,
Cheers,
    Sake
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube