Wireshark-bugs: [Wireshark-bugs] [Bug 6684] New: Add support to follow UDP and TCP streams
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6684
Summary: Add support to follow UDP and TCP streams
Product: Wireshark
Version: 1.7.x (Experimental)
Platform: Other
OS/Version: All
Status: NEW
Severity: Major
Priority: Low
Component: TShark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: msaal@xxxxxxxxxx
Build Information:
TShark 1.7.1 (SVN Rev 40212 from /trunk)
Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.30.0, with libpcap (version unknown), with libz
1.2.3.4, with POSIX capabilities (Linux), with SMI 0.4.8, with c-ares 1.7.4,
with Lua 5.1, without Python, with GnuTLS 2.10.5, with Gcrypt 1.5.0, with MIT
Kerberos, with GeoIP.
Running on Linux 3.0.0-14-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.
Built using gcc 4.6.1.
--
Add support to follow UDP and TCP streams like wireshark does. UDP streams are
selected with IP address/port pairs. TCP stream are selected with either the
stream index or IP address/port pairs.
Hex output example:
===================================================================
Follow: tcp,hex
Filter: tcp.stream eq 1
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
00000020 1f 00 06 04 00 00 ......
00000000 00 01 00 00 ....
00000026 00 02 00 00 ....
Ascii output example:
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 1
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
38
...".....
................
4
....
Raw output example:
===================================================================
Follow: tcp,raw
Filter: tcp.stream eq 1
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
0000002200000007000a850207e9000207e9060f000d000400000001000300061f0006040000
00010000
Note that all Node 1 data is prefix with a tab character to distinguish from
Node 0. Hex and raw data are all contained on one line, Ascii data may have
linefeeds and carriage returns so a length followed by a linefeed is prefixed
first.
The -z switch has been extended with 'follow,tcp' and 'follow,udp' to follow
TCP and UDP streams respectively.
Usage:
tshark -q -r <cap-file> -z follow,tcp,<mode>,<filter>[,<range>]
tshark -q -r <cap-file> -z follow,udp,<mode>,<filter>[,<range>]
<mode> - output format
ascii # ascii data with dots
hex # hex and ascii data with offsets
raw # hex data
<filter>
<ip4-addr0>:<port0>,<ip4-addr1>:<port1> # IPv4 address/port pairs
<ip6-addr0>:<port0>,<ip6-addr1>:<port1> # IPv6 address/port pairs
<tcp-stream-index>
<range> - display specified "chunks" of stream (optional
<min>-<max> # display stream chunks number 'min' through 'max'
<num> # dsiplay stream chunk number num'
Examples:
tshark -r <cap-file> -q -z follow,tcp,raw,1,2-4
tshark -r <cap-file> -q -z follow,tcp,ascii,1,5
tshark -r <cap-file> -q -z
follow,tcp,hex,200.57.7.197:32891,200.57.7.198:2906
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.