I'm trying to process some pcap files. My pcaps have a standard tcp handshake for connecting and closing, and one or more interesting packets sent while the connection is open.
I need to extract only the data part of the packets so that I can use the hex as input to another program. I use tcpreplay to play my pcap on the loopback
tcpreplay --intf1=lo some.pcap
Using tcpdump doesnt seem to work
tcpdump -x -i lo
it displays the data in hex, something like
0x0000: 4500 003a 0300 0000 4006 79bc 7f00 0001
0x0010: 7f00 0001 a7be 4e20 0000 0002 0000 0002
0x0020: 5018 8000 b9b7 0000 ffff ffff ffff ffff
I would really like to chop off the entire IP/TCP header and leave only
ffff ffff ffff ffff
(In this example, imagine the 8 bytes are for a protocol F such that the first 3 bytes are the header for F and the last 5 bytes are the data for F. I want to process F myself in another program, so I will refer to all of F as "the data". This creates a problem when I use tshark.)
I don't want to use anything like strings or cut which relys on my own knowledge of how long the tcp header is going to be because 1) the data is hex so doesnt have a nice form to use strings or a similar tool on and 2) some of the tcp headers have options and therefore the length is variable and the length of the data is variable, so cut or a similar tool is no good.
I've also tried tshark with
tshark -r some.pcap -Tfields -e data
which displays nothing and
tshark -r some.pcap -x
which displays
Frame (72 bytes):
0000 06 05 04 03 02 01 01 02 03 04 05 06 08 00 45 00 ..............E.
0010 00 3a 03 00 00 00 40 06 79 bc 7f 00 00 01 7f 00 .:....@.y.......
0020 00 01 a7 be 4e 20 00 00 00 02 00 00 00 02 50 18 ....N ........P.
0030 80 00 b9 b7 00 00 ff ff ff .........
Application Layer message (5 bytes):
0000 ff ff ff ff ff
So wireshark recognizes the innermost protocol and is "helpfully" splitting the header and data for me... Except I want the header and data together to process on my own.
I am completely lost for how I might strip the Ether/IP/TCP headers and leave only the data I want.
