Wireshark mailing list archives

Re: tshark Question

From: Average Guy <averageguy333 () yahoo com>
Date: Tue, 28 Dec 2010 07:02:45 -0800 (PST)

Thanks for your help. I am not exactly sure what you are referring to when you 
say "tracefile" but as for selecting particular stream, I am interested in all 
streams so I first get a list of all stream ID's and then :
tshark -r in.pcap -w out.pcap -R "tcp.stream eq StreamID"  
Also I am interested in more than just "HTTP" since "Follow TCP Stream" covers 
more than just HTTP. It looks like I am left with no option and need to make 
some changes to tshark and recompile. 


AG




________________________________
From: Sake Blok <sake () euronet nl>
To: Community support list for Wireshark <wireshark-users () wireshark org>
Sent: Tue, December 28, 2010 4:18:09 AM
Subject: Re: [Wireshark-users] tshark Question

It does not seem to be that nobody wants this functionality, but I guess most 
people use the tools available under linux to achieve their goals. One problem 
with implementing "follow XXX stream" for tshark is how to select the particular 
stream you're interested in as there are generally many streams in one 
tracefile.

If you look on ask.wireshark.org, you will see someone else needing this 
functionality and solving it by outputting XML data from a tracefile and merging 
the data to get whole HTTP requests and responses.

In other words, if you really need this functionality, you either need to 
develop it yourself or fill in an enhancement request @ 
https://bugzilla.wireshark.org. But in the latter case, there is no guarantee 
that it will be developed as there is a lot of things people would like to add 
to Wireshark.

Cheers,


Sake


On 28 dec 2010, at 03:39, Average Guy wrote:

Thanks Abhijit, a few issues with this thread, most important being I am using 
Windows which rules out tcpflow and any other *nix based tool. Also, I am not 
searching for any particular string and I need output(printed or saved ) exactly 
like "Follow TCP Stream->Save As" in Wireshark. I am trying to convince myself 
that there is an option in tshark since the bevaior is defined in Wireshark... 
but I am having a hard time believing there is hardly anyone out there in search 
of similar functionality. 


AG

From: Abhijit Bare <abhibare () gmail com>
To: Community support list for Wireshark <wireshark-users () wireshark org>
Sent: Mon, December 27, 2010 5:51:03 PM
Subject: Re: [Wireshark-users] tshark Question

Wondering if this thread will help you...

http://www.wireshark.org/lists/wireshark-users/201005/msg00221.html

On Mon, Dec 27, 2010 at 1:19 PM, Average Guy <averageguy333 () yahoo com> wrote:
Better way of putting this, I am looking for the same output as in wireshark:

Follow TCP Stream->Save As(Raw) 

-AG

From: Average Guy <averageguy333 () yahoo com>
To: wireshark-users () wireshark org
Sent: Mon, December 27, 2010 1:27:14 PM
Subject: [Wireshark-users] tshark Question

Greetings,

I am trying to extract the TCP Payload from reassembled TCP streams in Windows. 
The data I am interested in can be found in tshark output when -x option is 
used. When -x is used, the section/filed is called "Reassembled TCP". I can not 
find an option or field in tshark to print or output this section. In short I am 
trying to do the same thing tcpflow does in Linux and dump the payload of 
reassembled TCP streams. There is no particular reason why I am using tshark 
since it is the only tool(win32) I have found so far but I am open to 
suggestions.  Thank you in advance. 


AG



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

tshark Question Average Guy (Dec 27)
- <Possible follow-ups>
- tshark Question Average Guy (Dec 27)
- tshark Question Average Guy (Dec 27)
  - Re: tshark Question Average Guy (Dec 27)
    - Re: tshark Question Abhijit Bare (Dec 27)
    - Re: tshark Question Average Guy (Dec 27)
    - Re: tshark Question Sake Blok (Dec 28)
    - Re: tshark Question Average Guy (Dec 28)
- tshark Question Average Guy (Dec 27)
  - Re: tshark Question Average Guy (Dec 27)