Re: saving traces as simple ASCII file

[Guy Harris <guy () alum mit edu>]

On Oct 30, 2009, at 8:45 PM, Edward Peschko wrote:

> I'm trying to work with wireshark, and was wondering exactly how you
> save a trace as a simple text file, ie: a textual representation of
> what you see with the wireshark GUI app, along with an ASCII
> representation of the packets being transferred.
>
> Looking at the file types that you can save, I don't see anything
> remotely like this. What am I missing?

The fact that

        1) "saving" generally means "saving with no (or little) information  
loss", and saving a text version of the packet isn't that

and

        2) that might be called "printing" or "exporting"?

Try Export -> as Plain Text File... instead.

But what do you mean by "ASCII representation of the packets being  
transferred"?  The only ASCII representations we offer are

        1) the summary line - which you see with the Wireshark GUI app, in  
the packet list (the topmost pane, by default);

        2) the detailed dissection - which you see with the Wireshark GUI  
app, in the packet detail (the middle pane, by default);

        3) the hex dump of the raw packet data - which you see with the  
Wireshark GUI app, in the hex dump (the bottommost pane, by default);

so there's no ASCII representation that you *don't* "see with the  
Wireshark GUI app".  The Export -> as Plain Text File dialog lets you  
choose which of 1), 2), or 3) you want to see (you can see more than  
one of them in the resulting text file - "Packet summary line",  
"Packet details", and "Packet bytes").

> ps - how do you filter packets by an ascii string, again, without
> regard to either the metadata or the contents of the packets?

A filter that takes into account neither the metadata nor the contents  
of the packet cannot exist - everything you see in the display comes  
either from the metadata or the contents.

You can filter on the raw contents of the packet containing a  
particular ASCII string with, for example:

        frame contains "ab"

which will show all frames that have an "a" followed by a "b".  There  
is, as far as I know, no way to match all frames where the Info  
column, or the dissection, contains a particular string (there is no  
inherent reason for that, as the "Find" operation can find packets of  
that sort; there's just no pseudo-field in display filters  
corresponding to the Info column or to the packet details).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe