Wireshark · Wireshark-users: Re: [Wireshark-users] tshark commands

Wireshark-users: Re: [Wireshark-users] tshark commands

From: Overkill <overkill@xxxxxxxxxx>

Date: Wed, 19 May 2010 14:08:11 -0400

I'm trying to figure out the same thing so if you figure it out please let me know. Someone suggested to use tcpflow but I was not able to view that in a nice 'follow tcp stream' format.

-Adnan

On 05/19/2010 12:49 PM, David Milbourne wrote:

Hello,

I'm trying to figure out how to use Wireshark's "Follow TCP Stream" feature in tshark. For example, I have a PCAP file and I'd like to extract out all of the .ntf files. I know if I type:

tshark -r server.pcap -R "data contains NTF0"

This will show me a list of the streams in the PCAP file that contain the above string. However, how can I re-create these files (similar to "Follow TCP Stream" and "save as" in Wireshark)?

Thank-you,
DM
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-users] tshark commands
  - From: David Milbourne

Prev by Date: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
Next by Date: Re: [Wireshark-users] tshark or dumpcap ring buffer limitations
Previous by thread: [Wireshark-users] tshark commands
Next by thread: Re: [Wireshark-users] tshark commands
Index(es):
- Date
- Thread