Wireshark mailing list archives
Re: tshark commands
From: David Milbourne <dmilbo () gmail com>
Date: Thu, 20 May 2010 18:47:12 -0400
So I was able to use the script that Abhik provided and just added " | sort -un " (without the quotes) to the end of the first line to prevent duplicate stream IDs. It created separate PCAP files for each of the streams. This replicated the "Follow TCP Stream" functionality of Wireshark. Is it possible to replicate Wireshark's "Follow SSL Stream" in tshark? If so, how? DM On Thu, May 20, 2010 at 2:51 PM, David Milbourne <dmilbo () gmail com> wrote:
Doug, Good call. I was using an older version of TShark and it didn't appear to work. However, I upgraded to the latest and it works fine. Thanks, DM On Thu, May 20, 2010 at 3:02 AM, Douglas Ross <doug_ross_59 () yahoo co uk>wrote:Hi David, I'm a new wireshark user, today installed TShark 1.2.8 (is this the version you use?) -e tcp.stream works on my win32 system -R "tcp.stream eq <nnn>" also works but output is a pcap file, and not the same format as given by Wireshark GUI "Follow TCP stream". Hope this helps. Doug ------------------------------ *From:* David Milbourne <dmilbo () gmail com> *To:* Community support list for Wireshark <wireshark-users () wireshark org*Sent:* Thu, 20 May, 2010 5:51:09 AM *Subject:* Re: [Wireshark-users] tshark commands Abhik, Thanks for the reply. I tried what you mentioned below. It looks like I don't get anything back when I type: tshark -T fields -e tcp.stream -r server.pcap I tried with different fields (i.e. ip.src, ip.dst) and those work fine. Nothing displays when I use tcp.stream. DM On Wed, May 19, 2010 at 2:23 PM, Abhik Sarkar <sarkar.abhik () gmail com>wrote:Hi David, Not sure if you are using Windows or *nix, but if you are on the latter, a script similar to this might work: for stream_id in `tshark -T fields -e tcp.stream -r server.pcap -R "data contains NTF0"` do tshark -r server.pcap -w server"$stream_id".pcap -R "tcp.stream eq $stream_id" done HTH, Abhik PS: I haven't checked the exact syntax or run the command, but it's just the idea. On Wed, May 19, 2010 at 8:49 PM, David Milbourne <dmilbo () gmail com>wrote:Hello, I'm trying to figure out how to use Wireshark's "Follow TCP Stream" feature in tshark. For example, I have a PCAP file and I'd like to extract out all of the .ntf files. I know if I type: tshark -r server.pcap -R "data contains NTF0" This will show me a list of the streams in the PCAP file that contain the above string. However, how can I re-create these files (similar to "Follow TCP Stream" and "save as" in Wireshark)? Thank-you, DM ___________________________________________________________________________ Sent via: Wireshark-users mailing list < wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark orgArchives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark commands David Milbourne (May 19)
- Re: tshark commands Overkill (May 19)
- Re: tshark commands Abhik Sarkar (May 19)
- Re: tshark commands David Milbourne (May 19)
- Re: tshark commands Douglas Ross (May 20)
- Re: tshark commands David Milbourne (May 20)
- Re: tshark commands David Milbourne (May 20)
- Re: tshark commands David Milbourne (May 19)