Re: tshark Question

[Sake Blok <sake () euronet nl>]

It does not seem to be that nobody wants this functionality, but I guess most people use the tools available under 
linux to achieve their goals. One problem with implementing "follow XXX stream" for tshark is how to select the 
particular stream you're interested in as there are generally many streams in one tracefile.

If you look on ask.wireshark.org, you will see someone else needing this functionality and solving it by outputting XML 
data from a tracefile and merging the data to get whole HTTP requests and responses.

In other words, if you really need this functionality, you either need to develop it yourself or fill in an enhancement 
request @ https://bugzilla.wireshark.org. But in the latter case, there is no guarantee that it will be developed as 
there is a lot of things people would like to add to Wireshark.

Cheers,


Sake


On 28 dec 2010, at 03:39, Average Guy wrote:

> Thanks Abhijit, a few issues with this thread, most important being I am using Windows which rules out tcpflow and 
> any other *nix based tool. Also, I am not searching for any particular string and I need output(printed or saved ) 
> exactly like "Follow TCP Stream->Save As" in Wireshark. I am trying to convince myself that there is an option in 
> tshark since the bevaior is defined in Wireshark... but I am having a hard time believing there is hardly anyone out 
> there in search of similar functionality. 
>
> AG
>
> From: Abhijit Bare <abhibare () gmail com>
> To: Community support list for Wireshark <wireshark-users () wireshark org>
> Sent: Mon, December 27, 2010 5:51:03 PM
> Subject: Re: [Wireshark-users] tshark Question
>
> Wondering if this thread will help you...
>
> http://www.wireshark.org/lists/wireshark-users/201005/msg00221.html
>
> On Mon, Dec 27, 2010 at 1:19 PM, Average Guy <averageguy333 () yahoo com> wrote:
> Better way of putting this, I am looking for the same output as in wireshark:
>
> Follow TCP Stream->Save As(Raw) 
>
> -AG
>
> From: Average Guy <averageguy333 () yahoo com>
> To: wireshark-users () wireshark org
> Sent: Mon, December 27, 2010 1:27:14 PM
> Subject: [Wireshark-users] tshark Question
>
> Greetings,
>
> I am trying to extract the TCP Payload from reassembled TCP streams in Windows. The data I am interested in can be 
> found in tshark output when -x option is used. When -x is used, the section/filed is called "Reassembled TCP". I can 
> not find an option or field in tshark to print or output this section. In short I am trying to do the same thing 
> tcpflow does in Linux and dump the payload of reassembled TCP streams. There is no particular reason why I am using 
> tshark since it is the only tool(win32) I have found so far but I am open to suggestions.  Thank you in advance. 
>
> AG
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe