u/minektur

I'm looking at t38-voip calls in wireshark.

I'll see a packet labeled like this:

597	66.185038	X.X.X.X	Y.Y.Y.Y	T.38	60	UDP: UDPTLPacket Seq=00032  data:v21: hdlc-fcs-OK-sig-end (HDLC Reassembled: DCS - Digital Command Signal - DSR:14 400 bit/s, ITU-T V.17)

In particular I see "HDLC Reassembled:...."

In the details pane, if I expand the packet details, I see a line like:

[7 Message fragments (6 bytes): #590(1), #591(1), #592(1), #593(1), #594(1), #596(1), #597(0)]

If I right click on that line, I can 'copy -> as hex-stream' and get the bytes for all the reassembled stuff from the multiple packets, without having to go track down all the other fragments and reassemble them myself. Similarly I can just double-click on the packet to get a separate details window.

Can I do the same thing in tshark? I can use the same filter that will get me the same packets and I'd like to get the hex-stream from the reassembled HDLC packets on the command line.

I've tried a lot of variations on things like:

tshark -r ../sample.pcap -Y 't38.field_type==7' -T fields -e frame.number -e t38.field_data

which gets me apparently only the current packet's data.

I dug through all of the t38 fields as seen here:

https://www.wireshark.org/docs/dfref/t/t38.html

And didn't find an obvious answer.

Is this something only in wireshark? or is there some command line option to tshark I'm missing?