Ethereal-users: Re: [Ethereal-users] Follow TCP Stream using tethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 21 May 2002 12:53:49 -0700
On Tue, May 21, 2002 at 12:05:02PM +1000, Eddie Luc wrote:
>     The following link eludes to it but doesn't quite give me all the
> information.
> 
> http://www.ethereal.com/lists/ethereal-dev/200008/msg00027.html
> 
>     ie. If I can specify the stream it should be able to follow it.
> 
>     Please expand a little further.

There's not really much more to say.

Tethereal won't do something similar to Ethereal's "Follow TCP Stream",
producing a display of the TCP data.  It can only capture, or display,
packets *in* that stream, in their entirety.

If you know the source and destination IP addresses and TCP port numbers
of the two sockets, you can either use a capture filter such as the one
given in that mail message, or a display filter such as

    (ip.addr == foo and tcp.port == X) and (ip.addr == bar and tcp.port == Y)

to select the packets.  As I said, however, that won't give you a nice
pretty display such as the one you get from "Follow TCP Stream".

There is a program called tcpflow:

	http://www.circlemud.org/~jelson/software/tcpflow/

which might do what you want.