How to export printable text only(or any other packet property) in wireshark

Question

Long story short - I'm capturing SQLs from vendor tool to Oracle database by using Wireshark. It already has decoder for TNS protocol (which is great) and I can access text of SQL by

Right Click->Copy->Bytes(Printable Text Only). 

The problem is that there are tons of packets and doing right-click on each of them could take ages. I was wondering if there any way to export 'Printable Text Only' right from Wireshark. Ideally I want to have a text file with statements.

Any help will be highly appreciated.

Answer 1

I don't know how to do it with TNS. but you can do something like this using tshark, for example to look at http requests.

tshark -T fields -e http.request.uri

So if you can look at the options in the TNS decoder, you should be able to grab that field and redirect the output to a file.

Answer 2

Finally found away to do this. First, use tshark capturing tns packets:

tshark -R tcp.port==1521 -T fields -e data.data -d tcp.port==1521,tns > input.txt

Then you could use home brew Ruby script below to transform from bytes to text:

file = ARGV[0]
print_all = ARGV[1]

File.open(file, "r").each {|line|
  line.gsub(",", ":").split(':').each {|byte|
    chr = Integer('0x' + byte).chr
    print chr if ((' '..'~').include?(chr) or chr == "\n") or (print_all.downcase == 'all' if print_all)
  } if !line.chomp.empty?
}

Examples are:

encode.rb input.txt > output.txt

will export printable text only from input to output

encode.rb input.txt  all > output.txt

will export all text from input to output

Answer 3

An easy way of looking at them all that has worked for me is just Right Click -> Follow TCP Stream.

A note: unprintable characters are displayed as .s. If there are a bunch of these interspersed between all the text you want to extract (as there was for me), switch it to ASCII, save it and open it in your favourite text editor (vim for me), then run a search and replace similar to /\.//g.