Re: tshark commands

[David Milbourne <dmilbo () gmail com>]

So I was able to use the script that Abhik provided and just added " | sort
-un " (without the quotes) to the end of the first line to prevent duplicate
stream IDs.  It created separate PCAP files for each of the streams.  This
replicated the "Follow TCP Stream" functionality of Wireshark.

Is it possible to replicate Wireshark's "Follow SSL Stream" in tshark?  If
so, how?

DM

On Thu, May 20, 2010 at 2:51 PM, David Milbourne <dmilbo () gmail com> wrote:

> Doug,
>
> Good call.  I was using an older version of TShark and it didn't appear to
> work.  However, I upgraded to the latest and it works fine.
>
> Thanks,
> DM
>
>
> On Thu, May 20, 2010 at 3:02 AM, Douglas Ross <doug_ross_59 () yahoo co uk>wrote:
>
> > Hi David,
> > I'm a new wireshark user, today installed TShark 1.2.8 (is this the
> > version you use?)
> >
> > -e tcp.stream
> > works on my win32 system
> >
> > -R "tcp.stream eq <nnn>"
> > also works
> >
> > but output is a pcap file, and not the same format as given by Wireshark
> > GUI "Follow TCP stream".
> >
> > Hope this helps.
> > Doug
> >
> >
> >
> >
> >  ------------------------------
> > *From:* David Milbourne <dmilbo () gmail com>
> > *To:* Community support list for Wireshark <wireshark-users () wireshark org
> > >
> > *Sent:* Thu, 20 May, 2010 5:51:09 AM
> > *Subject:* Re: [Wireshark-users] tshark commands
> >
> > Abhik,
> >
> > Thanks for the reply.  I tried what you mentioned below.  It looks like I
> > don't get anything back when I type:
> >
> > tshark -T fields -e tcp.stream -r server.pcap
> >
> > I tried with different fields (i.e. ip.src, ip.dst) and those work fine.
> > Nothing displays when I use tcp.stream.
> >
> > DM
> >
> > On Wed, May 19, 2010 at 2:23 PM, Abhik Sarkar <sarkar.abhik () gmail com>wrote:
> >
> > > Hi David,
> > >
> > > Not sure if you are using Windows or *nix, but if you are on the latter,
> > > a script similar to this might work:
> > >
> > > for stream_id in `tshark -T fields -e tcp.stream -r server.pcap -R "data
> > > contains NTF0"`
> > > do
> > >   tshark -r server.pcap -w server"$stream_id".pcap -R "tcp.stream eq
> > > $stream_id"
> > > done
> > >
> > > HTH,
> > > Abhik
> > > PS: I haven't checked the exact syntax or run the command, but it's just
> > > the idea.
> > >
> > >   On Wed, May 19, 2010 at 8:49 PM, David Milbourne <dmilbo () gmail com>wrote:
> > >
> > > >  Hello,
> > > >
> > > > I'm trying to figure out how to use Wireshark's "Follow TCP Stream"
> > > > feature in tshark.  For example, I have a PCAP file and I'd like to extract
> > > > out all of the .ntf files.  I know if I type:
> > > >
> > > > tshark -r server.pcap -R "data contains NTF0"
> > > >
> > > > This will show me a list of the streams in the PCAP file that contain
> > > > the above string.  However, how can I re-create these files (similar to
> > > > "Follow TCP Stream" and "save as" in Wireshark)?
> > > >
> > > > Thank-you,
> > > > DM
> > > >
> > > >
> > > > ___________________________________________________________________________
> > > > Sent via:    Wireshark-users mailing list <
> > > > wireshark-users () wireshark org>
> > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > >             mailto:wireshark-users-request () wireshark org
> > > > ?subject=unsubscribe
> > >
> > >
> > >
> > > ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> > > >
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >             mailto:wireshark-users-request () wireshark org
> > > ?subject=unsubscribe
> >
> >
> >
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> > ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe