Sunday, 6 May 2012

Extracting dissected packets details from Wireshark

Here's a short Wireshark tip on how to extract packet details from Wireshark GUI into a text file. In other words how to get this:
Frame 74: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_29:34:97 (00:1f:3b:29:34:97), Dst: ThomsonT_84:7e:4a (00:26:44:84:7e:4a)
Internet Protocol Version 4, Src: 192.168.1.65 (192.168.1.65), Dst: 74.125.132.191 (74.125.132.191)
Transmission Control Protocol, Src Port: 2368 (2368), Dst Port: 80 (80), Seq: 2, Ack: 2, Len: 0
    Source port: 2368 (2368)
    Destination port: 80 (80)
    [Stream index: 6]
    Sequence number: 2    (relative sequence number)
    Acknowledgement number: 2    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgement: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 231
    [Calculated window size: 231]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x5951 [validation disabled]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 73]
        [The RTT to ACK the segment was: 0.000092000 seconds]
from this:
Wireshark packet details
Wireshark packet details window

One may ask -- what's the problem here, can't you just select the window content and use Ctrl+C/Ctrl+V? Well, I was disappointed to learn that no, it's not straightforward. Good news it's still possible.

First of all we'll need to mark all the packets that we're interested in. You can either use a context menu item "Mark packet (toggle)" or just hit Ctrl+M when the focus is set on the packet we're looking into. You'll have to repeat the procedure for all the packets you want to extract. If there's just too much for doing it manually you can play with different options in the Edit menu. You can toggle the Marked status for all displayed packets, so basically you can benefit from applying a display filter first.

Marking packets in Wireshark
Marking packets in Wireshark

Now go to File>Export>File menu:
Exporting a Wireshark capture to a file
Exporting a Wireshark capture to a file

And here's the key step. Set the export file type to Plain text, select the Marked packets option and make sure that you see Packet details checkbox selected on the right. You might want to play with different suboptions here: As displayed, All collapsed or All expanded.
Exporting Marked packets to a file in Wireshark
Exporting Marked packets to a file in Wireshark

And this is it. Now hit Save and check out the contents of the export file.

No comments: