Wireshark mailing list archives
Re: tshark and tcp streams
From: "j.snelders" <j.snelders () telfort nl>
Date: Sat, 29 May 2010 13:31:17 +0200
Hi Douglas, Can TShark statistics help you? Create a table that lists all conversations that could be seen in the capture file: -z conv,type[,filter] http://www.wireshark.org/docs/man-pages/tshark.html Run this script to create a table that lists the conversations in multiple files. Use paste--serial to merge the text files. Use rm to remove the temporary files. for file in `ls -1 test2905*.pcap` do tshark -r $file -q -z conv,tcp > tmp-$file.txt done paste --serial tmp*.pcap.txt > test2905.txt rm -f tmp-* Look for the conversation you want to extract from the capture files: TCP Conversations Filter:<No Filter> | <- | | -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 192.168.1.10:49664 <-> 207.204.17.246:80 83 121342 42 2622 125 123964 Create a display filter: ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 && tcp.port==80 Run this script to save the packets to separate files, merge these files and remove the temporary files: for file in `ls -1 test2905*.pcap` do tshark -r $file -w tmp-$file -R "ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 && tcp.port==80" done mergecap -w test2905c.pcap tmp-* rm -f tmp-* Hope this helps Joan On Fri, 28 May 2010 21:29:42 +0000 (GMT) Douglas Ross wrote:
Thanks to Abhik for revealing the tshark commands: -T fields -e tcp.stream (see tshark command 19-21 May) But, does anyone know how to get tshark to follow streams across capture files ? Cheers Doug
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark and tcp streams Douglas Ross (May 28)
- Re: tshark and tcp streams j.snelders (May 29)
- Re: tshark and tcp streams Douglas Ross (May 30)
- Re: tshark and tcp streams j.snelders (May 30)
- Re: tshark and tcp streams Douglas Ross (May 30)
- Re: tshark and tcp streams Martin Visser (May 30)
- Re: tshark and tcp streams Douglas Ross (May 31)
- Re: tshark and tcp streams Douglas Ross (May 30)
- Re: tshark and tcp streams j.snelders (May 29)