Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tshark commands

From: David Milbourne <dmilbo () gmail com>
Date: Thu, 20 May 2010 14:51:43 -0400
Doug,

Good call.  I was using an older version of TShark and it didn't appear to
work.  However, I upgraded to the latest and it works fine.

Thanks,
DM

On Thu, May 20, 2010 at 3:02 AM, Douglas Ross <doug_ross_59 () yahoo co uk>wrote:


Hi David,
I'm a new wireshark user, today installed TShark 1.2.8 (is this the version
you use?)

-e tcp.stream
works on my win32 system

-R "tcp.stream eq <nnn>"
also works

but output is a pcap file, and not the same format as given by Wireshark
GUI "Follow TCP stream".

Hope this helps.
Doug




 ------------------------------
*From:* David Milbourne <dmilbo () gmail com>
*To:* Community support list for Wireshark <wireshark-users () wireshark org>
*Sent:* Thu, 20 May, 2010 5:51:09 AM
*Subject:* Re: [Wireshark-users] tshark commands

Abhik,

Thanks for the reply.  I tried what you mentioned below.  It looks like I
don't get anything back when I type:

tshark -T fields -e tcp.stream -r server.pcap

I tried with different fields (i.e. ip.src, ip.dst) and those work fine.
Nothing displays when I use tcp.stream.

DM

On Wed, May 19, 2010 at 2:23 PM, Abhik Sarkar <sarkar.abhik () gmail com>wrote:


Hi David,

Not sure if you are using Windows or *nix, but if you are on the latter, a
script similar to this might work:

for stream_id in `tshark -T fields -e tcp.stream -r server.pcap -R "data
contains NTF0"`
do
  tshark -r server.pcap -w server"$stream_id".pcap -R "tcp.stream eq
$stream_id"
done

HTH,
Abhik
PS: I haven't checked the exact syntax or run the command, but it's just
the idea.

  On Wed, May 19, 2010 at 8:49 PM, David Milbourne <dmilbo () gmail com>wrote:


 Hello,

I'm trying to figure out how to use Wireshark's "Follow TCP Stream"
feature in tshark.  For example, I have a PCAP file and I'd like to extract
out all of the .ntf files.  I know if I type:

tshark -r server.pcap -R "data contains NTF0"

This will show me a list of the streams in the PCAP file that contain the
above string.  However, how can I re-create these files (similar to "Follow
TCP Stream" and "save as" in Wireshark)?

Thank-you,
DM


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org



Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe






___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: