Advanced filtering in wireshark - wireshark

I have a pcap file where I have a proprietary header from 13th byte to 110th byte. Is there a way I can strip of this portion from every packet in pcap file and then use wireshark to display the remaining packet ?

If you know for certain that every packet has the same proprietary header in the same location and is the same size, then you can use editcap to remove the unwanted bytes. For example:
editcap -C 12:98 file_with_prop_hdr.pcap file_without_prop_hdr.pcap

Related

How to parse WMV (ASF) file? Can't find length of data packets

I try to parse WMV (ASF) files without any SDK, just by decoding raw bytes. Now I have problem with ASF_Data_Object, where I can't find length of data packet. More precise, Single payload data packet.
See image:
Here I have 9 packets, but unable to find size of individual packet. How I can determine border between packets?
I think, my problem at byte 0x411, where field "Length type flags". As you can see, here 0 value, so all flags are zero. Even Packet Length Type.
Yes, 0 value here allowed here. But how to read this type of content?
This is now compressed payload, as replication data is 8, not 1. So, this is single payload without additional fields of size.
Sample of WMV file: https://files.catbox.moe/b51l2j.wmv
You seem to be having fixed size packets with no explicit payload length included, meaning that payload data size is derived from top level data object structure.
Spec quote commented:
That is, the ASF data object carries 9 packets, 3200 bytes each, then internally the packets contain payload 3174 bytes of payload per packet except the last one which has less data and some padding.

Reading TCP Stream from TShark without Bytes in Packet

I'm using TShark to read in existing *.pcap and *.pcapng files. When I output the TCPStream as an ASCII string using -z follow,tcp,ascii,33 (for stream number 33), I see all the ASCII data, but I also see that between packets, the ASCII stream is split by the the size of that packet in Bytes.
So, an example of the TCP Stream is below. The first half before the number is in one packet, followed by the remaining data found in a different template.
"website.templ
842
tes.output/name"
Assuming that I'm trying to regex on "templates" in this TCPStream, this split causes the regex to miss this occurrence of "templates" because it's split between two different packets.
Is there anyway to export the TCPStream as ASCII without the bytes field?
I attempted to use the -o flag to change the default setting of tcp.track_bytes_in_flight, but this only applies to live captures vs what I'm doing, analyzing static files.

How to preserve timestamps in tshark output file?

I'm using tshark to extract specific TCP streams and write that to an output pcap file using the -w option.
But, the frames in the output pcap do not have any timestamps or delta times (they're all zero while in the original pcap there are timestamps and delta times for the frames).
Is there any way to ensure that the original timestamps (from the original pcap file) are preserved in the output pcap?
I'm using TShark 1.10.5 (SVN Rev 54262 from /trunk-1.10) on MacOS.
Thanks!
the frames in the output pcap do not have any timestamps or delta times (they're all zero while in the original pcap there are timestamps and delta times for the frames).
That is what is technically known as a "bug". Please file it as a bug on the Wireshark Bugzilla; if you can attach your original pcap file for testing purposes, that would be good. (If not, please run the file command on it and show the results, just so we know what file type the input file is - it might, for example, be a pcap-ng file rather than a pcap file).

802.11 QoS data frames

I'm trying to parse 802.11 frames myself and I've encountered two problems that I can't solve.
First of all, when does an LLC (Logical Link Control) header follow a IEEE 802.11 data frame ? I thought when there is data in a frame, there would always be an llc overhead preceding the data, but I have a wireshark with Ethernet II instead of LLC. But I have no idea how to actually know if it's gonna be an LLC or a Ethernet II header following my 802.11 data header. There's no field in the 802.11 header specifyin what's following.
Secondly, I have noticed something in wireshark when I open a capture file containing 802.11 QoS data frames. At the end of the header there's the QoS control field, which is normal, it's specified in the IEEE 802.11 documentation (i've read it over and over again to try to find an answer to my question) But then, there's 2 bytes that wireshark considers part of the 802.11 header (when you click on the raw bytes, wireshark points to the 802.11 header, but the signification of the bytes is not displayed in the fields of the header ! Does my question make any sense ?
Here are images to explain what I'm not understanding. On the first screen shot below, you see the 802.11 header selected and you see below the concerned bytes in hexadecimal.
Pay attention to the last bytes of this packet:00 00 10 aa
Now I expand the 802.11 header and click on the very last field of it (QoS control, as specified in the RFC). You can see that the corresponding bytes are 00 00. But those bytes are not the last bytes of the packet ! There still is 10 aa that's part of the wifi packet but I have no idea what those bytes represent !
Any one has an idea ?
First of all, when does an LLC (Logical Link Control) header follow a IEEE 802.11 data frame ?
There should always be one, although things might be odd for aggregate packets. If you capture on an 802.11 interface and you're not capturing in monitor mode, you might see the packet begin with an Ethernet header, but that's different - that's the adapter and/or the driver translating the 802.11 header + LLC header into an Ethernet header.
But then, there's 2 bytes that wireshark considers part of the 802.11 header
That might actually be the "Atheros padding", "helpfully" inserted, in monitor mode, between the 802.11 header and the frame body by some Atheros network adapters. Open up the Radiotap header and see if the "Data Pad" flag is set in the Flags field; if so, the packet has "Atheros padding".

How can I convert the RTP payload containing SILK-encoded audio into a file?

I have the pcap of a VoIP call involving SILK.
I'm able to see in Wireshark the RTP payload.
From the RTP headers I can understand the sample rate (e.g. 24 KHz) and the frame size (e.g. 20 ms).
What I'd like to do is extract the RTP payload and generate a file containing the SILK-encoded audio.
From the RTP payload format description I can see that in the case of storage in a file, each block of audio needs a block header, to specify the sample rate and block size (because the block size is variable and can be different on each frame).
How can I generate a file with the correct file header ("magic number") and add a block header for each block of audio?
I can use a few different programming languages so I'm mainly interested in the required algorithm, but would appreciate references to code implementations (or perhaps some existing tool?).
Use pcaputil of pjproject: Converts captured RTP packets in PCAP file to WAV file or play it to audio device. Can filter the PCAP file on source or destination IP or port, is able to deal with SRTP and supports all codecs in PJMEDIA, including SILK (have not tried this myself).
Examples:
pcaputil file.pcap output.wav
pcaputil -c AES_CM_128_HMAC_SHA1_80 -k VLDONbsbGl2Puqy+0PV7w/uGfpSPKFevDpxGsxN3 file.pcap output.wav

Resources