Hi Douglas,
Can TShark statistics help you?
Create a table that lists all conversations that could be seen in the capture
file:
-z conv,type[,filter]
http://www.wireshark.org/docs/man-pages/tshark.html
Run this script to create a table that lists the conversations in multiple
files.
Use paste--serial to merge the text files.
Use rm to remove the temporary files.
for file in `ls -1 test2905*.pcap`
do
tshark -r $file -q -z conv,tcp > tmp-$file.txt
done
paste --serial tmp*.pcap.txt > test2905.txt
rm -f tmp-*
Look for the conversation you want to extract from the capture files:
TCP Conversations
Filter:<No Filter>
| <- | |
-> | | Total |
| Frames Bytes | | Frames
Bytes | | Frames Bytes |
192.168.1.10:49664 <-> 207.204.17.246:80 83 121342 42
2622 125 123964
Create a display filter:
ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 && tcp.port==80
Run this script to save the packets to separate files, merge these files
and remove the temporary files:
for file in `ls -1 test2905*.pcap`
do
tshark -r $file -w tmp-$file -R "ip.addr==192.168.1.10 && tcp.port==49664
&& ip.addr==207.204.17.246 && tcp.port==80"
done
mergecap -w test2905c.pcap tmp-*
rm -f tmp-*
Hope this helps
Joan
On Fri, 28 May 2010 21:29:42 +0000 (GMT) Douglas Ross wrote:
>Thanks to Abhik for revealing the tshark commands: -T fields -e tcp.stream
>(see tshark command 19-21 May)
>
>But, does anyone know how to get tshark to follow streams across capture
>files ?
>
>Cheers
>Doug
