Wireshark-dev: Re: [Wireshark-dev] Displaying an entire pcap file by TCP/UDP stream
Title: RE: [Wireshark-dev] Displaying an entire pcap file by TCP/UDP stream
-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Thursday, May 08, 2008 16:31
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Displaying an entire pcap file by TCP/UDP stream
On May 8, 2008, at 11:35 AM, Eiland, Edward (GE, Research) wrote:
> I have a need to review reconstituted TCP/UDP streams across an entire
> packte capture file. While this is possible manually, it surely is
> not practical for large pcap files. Is there a solution exist to
> automate this process? It would, for my problem, actually be best for
> each stream to be saved in a separate file.
>
http://wiki.wireshark.org/Tools
speaks of
tcpflow Extracts data streams from TCP connections and writes each stream to a file (GPL, BSD/Linux/Unix)
under "Monitoring/tracing tools"; see
http://www.circlemud.org/~jelson/software/tcpflow/
It doesn't handle UDP, but, as UDP is a packet-oriented rather than a byte-stream protocol, it's less clear what a UDP "stream" is, and, as UDP does not itself do reliable in-order delivery, it's not clear that a file made up of all the UDP packet payloads, in sequence, glued together would be useful. What *particular* protocols running atop UDP are you dealing with here?
Since this is for a current corporate research project, all I can say is that we're working on intrusion detection. Wireshark can isolate UDP streams (Analyze -->Follow UDP Stream) . We just need a way to automate the process and save each to a file.
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
