Wireshark-users: [Wireshark-users] Output data for a reassembled tcp.
Hello list,
I have a capture file which has a bunch of tcp frames in it that
wireshark/tshark reassemble their data into one big chunk of data. Now
in wireshark I can go to File>Export>Objects>HTTP and export this data
just fine.
Now, suppose I want to this programmatically, for the computer to
automatically pull that data out whenever it encounters some
filter(which I have). My first thought was tshark should be able to do
this no problem, however the best I can get tshark to do is output the
entire frame with the -x option. So i get a bunch of stuff I don't
really need, plus the data I want is in hex, so I would need to write a
parser of my own to go through that output and convert the stuff I want
from hex to bytes. Now this wouldn't be all that difficult, but I
figured if wireshark can do what I want, why not tshark?
So my next thought was to use tshark+lua. After looking at some very
very skimpy examples that seemed to have very simplistic purposes I was
able to get a byte array of the frame in question. However, this is only
the bytes of the frame itself, not of the tcp reassembled data, and I
saw no way of actually getting that data. The wireshark+lua
documentation and api seems very thin, as does any information regarding
tshark and it's capabilities versus wireshark.
I thought something like what I want to do(export the tcp reassembled
data to a file) would be a relatively simple thing to do. It is very
simple to do in wireshark, but it seems that is only where you can do
it. Any help on this subject would be appreciated.
Mike M
