Abhik,
Thanks for the reply. I tried what you mentioned below. It looks like I don't get anything back when I type:
tshark -T fields -e tcp.stream -r server.pcap
I tried with different fields (i.e. ip.src, ip.dst) and those work fine. Nothing displays when I use tcp.stream.
DM
On Wed, May 19, 2010 at 2:23 PM, Abhik Sarkar
<sarkar.abhik@xxxxxxxxx> wrote:
Hi David,
Not sure if you are using Windows or *nix, but if you are on the latter, a script similar to this might work:
for stream_id in `tshark -T fields -e tcp.stream -r server.pcap -R "data contains NTF0"`
do
tshark -r server.pcap -w server"$stream_id".pcap -R "tcp.stream eq $stream_id"
done
HTH,
Abhik
PS: I haven't checked the exact syntax or run the command, but it's just the idea.
Hello,
I'm trying to figure out how to use Wireshark's "Follow TCP Stream" feature in tshark. For example, I have a PCAP file and I'd like to extract out all of the .ntf files. I know if I type:
tshark -r server.pcap -R "data contains NTF0"
This will show me a list of the streams in the PCAP file that contain the above string. However, how can I re-create these files (similar to "Follow TCP Stream" and "save as" in Wireshark)?
Thank-you,
DM
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
