Wireshark-users: Re: [Wireshark-users] tshark commands
From: David Milbourne <dmilbo@xxxxxxxxx>
Date: Thu, 20 May 2010 18:47:12 -0400
So I was able to use the script that Abhik provided and just added " | sort -un " (without the quotes) to the end of the first line to prevent duplicate stream IDs.  It created separate PCAP files for each of the streams.  This replicated the "Follow TCP Stream" functionality of Wireshark.

Is it possible to replicate Wireshark's "Follow SSL Stream" in tshark?  If so, how?

DM

On Thu, May 20, 2010 at 2:51 PM, David Milbourne <dmilbo@xxxxxxxxx> wrote:
Doug,

Good call.  I was using an older version of TShark and it didn't appear to work.  However, I upgraded to the latest and it works fine.

Thanks,
DM


On Thu, May 20, 2010 at 3:02 AM, Douglas Ross <doug_ross_59@xxxxxxxxxxx> wrote:
Hi David,
I'm a new wireshark user, today installed TShark 1.2.8 (is this the version you use?)
 
-e tcp.stream
works on my win32 system
 
-R "tcp.stream eq <nnn>"
also works
 
but output is a pcap file, and not the same format as given by Wireshark GUI "Follow TCP stream".
 
Hope this helps.
Doug
 

 


From: David Milbourne <dmilbo@xxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Thu, 20 May, 2010 5:51:09 AM
Subject: Re: [Wireshark-users] tshark commands

Abhik,

Thanks for the reply.  I tried what you mentioned below.  It looks like I don't get anything back when I type:

tshark -T fields -e tcp.stream -r server.pcap

I tried with different fields (i.e. ip.src, ip.dst) and those work fine.  Nothing displays when I use tcp.stream.

DM

On Wed, May 19, 2010 at 2:23 PM, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:
Hi David,

Not sure if you are using Windows or *nix, but if you are on the latter, a script similar to this might work:

for stream_id in `tshark -T fields -e tcp.stream -r server.pcap -R "data contains NTF0"`
do
  tshark -r server.pcap -w server"$stream_id".pcap -R "tcp.stream eq $stream_id"
done

HTH,
Abhik
PS: I haven't checked the exact syntax or run the command, but it's just the idea.

On Wed, May 19, 2010 at 8:49 PM, David Milbourne <dmilbo@xxxxxxxxx> wrote:
Hello,

I'm trying to figure out how to use Wireshark's "Follow TCP Stream" feature in tshark.  For example, I have a PCAP file and I'd like to extract out all of the .ntf files.  I know if I type:

tshark -r server.pcap -R "data contains NTF0"

This will show me a list of the streams in the PCAP file that contain the above string.  However, how can I re-create these files (similar to "Follow TCP Stream" and "save as" in Wireshark)?

Thank-you,
DM

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe