3

I am trying to reverse engineer a protocol in Wireshark, and I'm not that familiar with Wireshark. I have found some of the packets that I want, and I can see the XML data in the Data View pane. I would like to get it out of there so I can clean it up and read it and start figuring out what is required to use it elsewhere.

Are the dots after every character a part of Wireshark, or a part of the protocol I am looking at? I am presuming Wireshark, so part of the reason I want the data out of Wireshark is to clean up the data.

What can I do to accomplish this goal?

I finally figured out how to multi select packets (CTRL + M), which is ridiculously tedious, but worked because I have a small set of packets to work with.

Printing them does not give me what I want, and exporting doesn't seem to do what I want. Of course, it's entirely possible I am screwing up those operations because of n00bishness.

Update

I found this article that explains how the feature was purposefully obfuscated. Well, I have found it anyways, but now I'm just getting a representation of what i saw in the data pane. I would like to just get the ASCII that is there. Is there some way in Wireshark to output this? It would be nice to mash up some packets and get their reassembled payload, like the receiver would send to the application server.

See below for graphic (courtesy of this question on Stack Overflow:

enter image description here

YetAnotherRandomUser
  • 2,031

2 Answers2

1

The field data.text will display the data in ascii.

You can also select any field in the Packet Details window, right-click and choose "Apply as column".

WallStProg
  • 131
  • 3
1

I know this is an old topic but I needed to do exactly this just now and Google led me here. Anyway, the answer, at least in more modern releases of Wireshark (version 4.4.1).

For any generic ASCII data, ensure the Data information in the Packet Details section is showing both "Data" as hex and "Text" as ASCII. If not, right-click the Data section header, go to Protocol Preferences, and select Show Data As Text.

Wireshark Packet Details

You can then right-click the Text line and Apply As Column. Alternatively, you can Edit Column Preferences, add a new line, and create a custom filter for "data.text".

Now you can Export Packet Dissections from the File menu as a CSV, for example, and get your text easily for further processing. In my example, my data is generated from the sending application as CSV, so I can open in Excel and do a Text to Columns transformation for further refinement.

BHelman
  • 11