It sounds like you're only interested in the raw bytes that comprise each packet. Assuming so, you might try something like:
tcpdump -r someFile.pcap -xx | grep -P "^\t0x"
As you can see from the tcpdump
man page, that will cause tcpdump
to read the capture file, and "in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex." Piping the output to grep
takes care of removing the summary line. Perhaps there's a way to instruct tcpdump
not to print the summary line at all, but if there is, I was unable to find it. In any case, at this point, you just need to process the hex output.
You can also achieve this a bit more easily I think by using tshark
instead of tcpdump
. For example:
tshark -r icmp.pcap -x
The output formats of tcpdump
and tshark
do differ in how the hex values are displayed and grouped, and whether the ASCII representation of the hex bytes are present or not following the hex values, so you'll probably have to experiment to see which format you like better or is easier for your program to parse.
-t
will remove the timestamps for the capture. – Mark Riddell – 2017-06-14T11:58:57.360