Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to "Follow TCP Stream" Using tshark

From: "j.snelders" <j.snelders () telfort nl>
Date: Sun, 22 Nov 2009 00:43:49 +0100
Hi Mathew,

You can use TShark statistics to show all tcp streams:
$ tshark -r test.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                               |       <-      | |      
->      | |     Total     |
                                               | Frames  Bytes | | Frames
 Bytes | | Frames  Bytes |
192.168.1.2:2056     <-> 209.85.229.103:80         13     11456      12 
    2419      25     13875
192.168.1.2:2055     <-> 209.85.229.103:80         12      7542      11 
    2449      23      9991
192.168.1.2:2058     <-> 209.85.229.103:80         12     10276       9 
    1698      21     11974
192.168.1.2:2057     <-> 209.85.229.103:80          9      6814       9 
    1589      18      8403
192.168.1.2:2059     <-> 209.85.229.101:80          3       322       5 
     821       8      1143
================================================================================

Next you can use a display filter to save the stream to a separate capture
file:
$ tshark -r test.pcap -R "ip.addr==192.168.1.2 && tcp.port==2058 && ip.addr==192.168.1.2
&& tcp.port==80" -w stream.pcap
 34  15.444707  192.168.1.2 -> 209.85.229.103 TCP 62 0 2058 > 80 [SYN] Seq=0
Win=65535 Len=0 MSS=1460
 47  15.460711 209.85.229.103 -> 192.168.1.2  TCP 62 0 80 > 2058 [SYN, ACK]
Seq=0 Ack=1 Win=5720 Len=0 MSS=1460
 48  15.460746  192.168.1.2 -> 209.85.229.103 TCP 54 0 2058 > 80 [ACK] Seq=1
Ack=1 Win=65535 Len=0
 49  15.497307  192.168.1.2 -> 209.85.229.103 HTTP 601 547 GET <snip>

Hope this helps.
Joan

On Sat, 21 Nov 2009 11:08:57 -0800 Mathew Brown wrote:


Hi,
 I was wondering if anyone can highlight how to tell tshark to "Follow
 TCP Stream" which you can easily do using the Wireshark GUI.  Thanks.



-- 
 Mathew Brown
 mathewbrown () fastmail fm



       


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: