Wireshark mailing list archives
extract tcp session tshark
From: Christophe Vandeplas <christophe () vandeplas com>
Date: Wed, 11 May 2011 10:38:55 +0200
Hello I'm desperately trying to extract the full tcp session/flow of packets to files. The functional thing I want to reach is the same as the following using the gui: - open pcap file - foreach stream as $i -- filter: tcp.stream eq $i -- Analyze > Follow TCP stream > Save As > enter filename -- next stream I have tried techniques like: - tcpflow (which I even patched for extra features) - chaosreader - snort However tcpflow and chaosreader don't reassemble the packets in the right order (if they arrived in the wrong order), neither do they ignore retransmissions. This results in corrupted data in my flow/output files. Snort (on my setup) went completely wrong with corrupted output files. However on other systems it seemed to work. I'm really convinced that it should be feasible with tshark. However I haven't found the way to do this. (neither manually or automatically) I have looked into the -T fields, but with no result. Can someone give me some advice? Maybe with lua scripts? Thanks a lot for your expertise and help Christophe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- extract tcp session tshark Christophe Vandeplas (May 11)
- Re: extract tcp session tshark Andrej van der Zee (May 11)
- Re: extract tcp session tshark Christophe Vandeplas (May 11)
- Re: extract tcp session tshark Jaap Keuter (May 11)
- Re: extract tcp session tshark Christophe Vandeplas (May 11)
- Re: extract tcp session tshark Andrej van der Zee (May 11)