tags:

views:

561

answers:

3
+1  Q: 

wireshark: Capture Data Layer Only

Is there a way to capture only the data layer and disregard the upper layers in wireshark? If not, is there a different packet dump utility that can do this? PREFERABLY 1 file per packet!

What I am looking for: A utility that dumps only the data (the payload) layer to a file.

This is programming related...! What I really want to do is to compare all of the datagrams in order to start to understand a third party encoding/protocol. Ideally, and what would be great, would be a hex compare utility that compares multiple files!

A: 

What do you mean by "data layer"? Can you post a short example of a packet with and one without data layer?

Andomar  2009-02-12 16:34:11
The payload. I do not want the link/tcp/ip layers.
Zombies  2009-02-12 16:36:20
A: 

There is a function to limit capture size in Wireshark, but it seems that 68bytes is the smallest value. There are options to starting new files after a certain number of kilo, mega, gigabytes, but again the smallest is 1-kilobyte, so probably not useful.

I would suggest looking at the pcap library and rolling your own. I've done this in the past using the PERL Net::Pcap library, but it could easily be done it other languages too.

If you have Unix/Linux available you might also look into tcpdump. You can limit amount of data captured with -s. For example "-s 14" would typically get you the Ethernet header, which I assume is what you mean by the datalink layer. There are also options for controlling how often files are created by specifying file size with -C. So theoretically if you set the file size to the capture size, you'll get one file per packet.

Jamie  2009-02-12 16:35:53
+4  A: 

You should try right-clicking on a packet and select "Follow TCP Stream". Then you can save the TCP communication into a raw file for further processing. This way you won't get all the TCP/IP protocoll junk.

Richard J. Terrell  2009-02-12 16:43:57
Capital idea! This might just be exactly what I need.
Zombies  2009-02-12 16:49:02

related questions

Find simultaneous connection through wireshark
cURL,WireShark. Setting headers to post data and get xml.
Tool for network traffic analysis of a custom protocol
how do you decrypt SSH .pcap file that uses Diffie Hellman ecryption. With public and private keys.
Corruption in the network stack
Can I monitor traffic on my Incoming Dialup connection using Wireshark?
Wireshark ------- Source port: timbuktu-srv2 ?
What is a TCP window update?
How do I go about reverse engineering a UDP-based custom game protocol with nothing other than Wireshark?
wireshark - filter by process/pid
Virtualize Wireshark
Wireshark dissect function
Decoding URL in Wireshark
how to find the packet loss in Wireshark?
Analyze core-dumps created while running wireshark on linux
Identifying characteristics of certain categories network traffic (originating from load balancer or port based NAT)
How to concatenate two tcpdump files (pcap files)
Wireshark Info Filter Help
Can we sniff packets between 2 machines in a network from a third machine using wireshark or ethereal
Ethernet FCS when capturing wth Wireshark under Linux
TCP Socket Server Builds Up CLOSE_WAITs Occasionally Over Time Until Inoperable
What are some good Wireshark tutorials?
How do you monitor network traffic on the iPhone?
how to clear the wireshark filter combo contents