Extract packet payload from pcap file

Question

For a project I am working on we have a data source which generates a stream of data as UDP packets on 100 GbE Ethernet link.

The engineers I am working with can capture this stream and write the full stream as a pcap file.

I would like to strip all network headers and create a new file with just the UDP datagramme payload. I realise I can write some C or python to do this using the Pcap libraries, but I would prefer to use an existing tool such as tshark. Particularly if this gives the option of (optional) packet filtering such as UDP port etc.

I have been looking for solutions with google and reading man page but could not find any solution.

I do NOT want the data converted to hex - I want the binary data of the payload retained.

Does anyone have any suggestions?

Answer 1

What do you think about this command?

This command looks for incoming UDP packets, extracts the UDP payload from them, sends them to the xxd command for hex to raw byte conversion and saves the raw bytes into a file as they come in.

tshark -i eno1 -Y 'udp.port == 67 or udp.port == 58' -T fields -e udp.payload | xxd -r -p > raw_payloads.bin

-i Specifies what interface you want to capture packets from.
-Y Specifies how to filter packets. In my example, filter out packets where the UDP port equals 67 or 68. List of filters can be found here: https://www.wireshark.org/docs/dfref/
-T Specifies where we are going to look (e.i. fields), in our case we want to look into the udp.payload field
-e Specifies the field to read (e.i. udp.payload field)

This will output all the UDP payloads into hex.

We can convert the hex into raw bytes by piping the output into xxd.
-r will convert hex to binary
-p will output the binary continuously

Then finally we save the raw bytes into a file: > raw_payloads.bin