diff options
| author | Jim Young <jim.young.ws@gmail.com> | 2022-01-13 01:18:38 +0000 |
|---|---|---|
| committer | A Wireshark GitLab Utility <6629907-ws-gitlab-utility@users.noreply.gitlab.com> | 2022-01-13 01:18:38 +0000 |
| commit | b5f89dbe2db357a0f4a08de7d00fdeed7ca2780c (patch) | |
| tree | efb39d934db6b08b75e3813c73dab83a623b9d44 /doc | |
| parent | fdc5166234f36e572af427a9810e32c79ee61720 (diff) | |
tshark: Add new long option --hexdump <hexoption>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/tshark.adoc | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/doc/tshark.adoc b/doc/tshark.adoc index 613daeb4ff..05ce4b95d5 100644 --- a/doc/tshark.adoc +++ b/doc/tshark.adoc @@ -1025,6 +1025,76 @@ Cause *TShark* to print a hex and ASCII dump of the packet data after printing the summary and/or details, if either are also being displayed. -- +--hexdump <hexoption>:: ++ +-- +Cause *TShark* to print a hex and ASCII dump of the packet data +with the ability to select which data sources to dump and how to +format or exclude the ASCII dump text. + +This option can be used multiple times where the data source *<hexoption>* +is *all* or *frames* and the ASCII dump text *<hexoption>* is *ascii*, +*delimit*, *noascii*. + + Example: tshark ... --hexdump frames --hexdump delimit ... + +*all*:: + +Enable hexdump, generate hexdump blocks for all data sources associated +with each frame. Used to negate earlier use of `--hexdump frames`. +The *-x* option displays all data sources by default. + +*frames*:: + +Enable hexdump, generate hexdump blocks only for the frame data. Use +this option to exclude, from hexdump output, any hexdump blocks for +secondary data sources such as 'Bitstring tvb', 'Reassembled TCP', +'De-chunked entity body', etc. + +*ascii*:: + +Enable hexdump, with undelimited ASCII dump text. Used to negate earlier +use of `--hexdump delimit` or `--hexdump noascii`. The *-x* option +displays undelimited ASCII dump text by default. + +*delimit*:: + +Enable hexdump with the ASCII dump text delimited with '|' characters. +This is useful to unambigiously determine the last of the hex byte text +and start of the ASCII dump text. + +*noascii*:: + +Enable hexdump without printing any ASCII dump text. + +*help*:: + +Display --hexdump specific help then exit. + +The use of *--hexdump <hexoption>* is particularly useful to generate output +that can be used to create a pcap or pcapng file from a capture file type such +as Microsoft NetMon 2.x which *TShark* and *Wireshark* can read but can not +directly do a "Save as" nor export packets from. + +Examples: + +Generate hexdump output, with only the frame data source, with delimited ASCII +dump text, with each frame hex block preceeded by a human readable timestamp that +is directly usable by the *text2pcap* utility: + + tshark ... --hexdump frames --hexdump delimit \ + -P -t ad -o gui.column.format:"Time","%t" \ + | text2pcap -n -t '%F %T.%f' - MYNEWPCAPNG + +Generate hexdump output, with only the frame data source, with no ASCII dump text, +with each frame hex block preceeded by an epoch timestamp that is directly +usable by the *text2pcap* utility: + + tshark ... --hexdump frames --hexdump noascii \ + -P -t e -o gui.column.format:"Time","%t" \ + | text2pcap -n -t %s.%f - MYNEWPCAPNG +-- + -X <eXtension options>:: + -- |