Wireshark mailing list archives
Re: TCP stream reassembly with timestamps
From: Erik Hjelmvik <erik.hjelmvik () gmail com>
Date: Wed, 11 Jan 2012 22:36:50 +0100
I suggest that you use tshark instead in order to display both the frame's timestamp and TCP payload data. Try this command: tshark.exe -r dump.pcap -T fields -e frame.time -e tcp.data It will, however, output the TCP payload data in hex, i.e. like "48:54:54:50" instead of "HTTP". /erik 2012/1/5 Neilen Marais <nmarais () ska ac za>:
I'm using wireshark to sniff communications between devices that use katcp (https://casper.berkeley.edu/wiki/KATCP). Katcp is a very simple text orientated messaging scheme, where messages are newline-delimited. Using wireshark's TCP stream reassembly I have 90% of my needs covered. The only other thing I need is a way to timestamp each newline in the reassembled stream. Is there a simple way to do this in wireshark? Essentially (I guess) is a way to map a part of the reassembled TCP payload to the packet that it came from. Thanks Neilen P.S. Apologies if this message is duplicated -- I tried sending it through gmane, but never received the confirmation email. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-- blog: http://www.netresec.com/?page=Blog twitter: http://twitter.com/netresec ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- TCP stream reassembly with timestamps Neilen Marais (Jan 05)
- Re: TCP stream reassembly with timestamps Erik Hjelmvik (Jan 11)