Wireshark-bugs: [Wireshark-bugs] [Bug 6684] New: Add support to follow UDP and TCP streams
Date: Thu, 15 Dec 2011 13:36:03 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6684

           Summary: Add support to follow UDP and TCP streams
           Product: Wireshark
           Version: 1.7.x (Experimental)
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: TShark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: msaal@xxxxxxxxxx


Build Information:
TShark 1.7.1 (SVN Rev 40212 from /trunk)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.30.0, with libpcap (version unknown), with libz
1.2.3.4, with POSIX capabilities (Linux), with SMI 0.4.8, with c-ares 1.7.4,
with Lua 5.1, without Python, with GnuTLS 2.10.5, with Gcrypt 1.5.0, with MIT
Kerberos, with GeoIP.

Running on Linux 3.0.0-14-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.

Built using gcc 4.6.1.

--
Add support to follow UDP and TCP streams like wireshark does. UDP streams are
selected with IP address/port pairs. TCP stream are selected with either the
stream index or IP address/port pairs.

Hex output example:

===================================================================
Follow: tcp,hex
Filter: tcp.stream eq 1
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
00000000  00 00 00 22 00 00 00 07  00 0a 85 02 07 e9 00 02  ...".... ........
00000010  07 e9 06 0f 00 0d 00 04  00 00 00 01 00 03 00 06  ........ ........
00000020  1f 00 06 04 00 00                                 ......
    00000000  00 01 00 00                                       ....
00000026  00 02 00 00                                       ....


Ascii output example:

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 1
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
38
...".....
................
    4
....

Raw output example:

===================================================================
Follow: tcp,raw
Filter: tcp.stream eq 1
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
0000002200000007000a850207e9000207e9060f000d000400000001000300061f0006040000
    00010000


Note that all Node 1 data is prefix with a tab character to distinguish from
Node 0. Hex and raw data are all contained on one line, Ascii data may have
linefeeds and carriage returns so a length followed by a linefeed is prefixed
first.

The -z switch has been extended with 'follow,tcp' and 'follow,udp' to follow
TCP and UDP streams respectively.

Usage:

  tshark -q -r <cap-file> -z follow,tcp,<mode>,<filter>[,<range>]
  tshark -q -r <cap-file> -z follow,udp,<mode>,<filter>[,<range>]

<mode> - output format
  ascii   # ascii data with dots
  hex     # hex and ascii data with offsets
  raw     # hex data

<filter>
  <ip4-addr0>:<port0>,<ip4-addr1>:<port1>   # IPv4 address/port pairs  
  <ip6-addr0>:<port0>,<ip6-addr1>:<port1>   # IPv6 address/port pairs
  <tcp-stream-index>

<range> - display specified "chunks" of stream (optional
  <min>-<max> # display stream chunks number 'min' through 'max'
  <num>       # dsiplay stream chunk number num'

Examples:
  tshark -r <cap-file> -q -z follow,tcp,raw,1,2-4
  tshark -r <cap-file> -q -z follow,tcp,ascii,1,5
  tshark -r <cap-file> -q -z
follow,tcp,hex,200.57.7.197:32891,200.57.7.198:2906

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.