On May 8, 2008, at 11:35 AM, Eiland, Edward (GE, Research) wrote:
I have a need to review reconstituted TCP/UDP streams across an
entire packte capture file. While this is possible manually, it
surely is not practical for large pcap files. Is there a solution
exist to automate this process? It would, for my problem, actually
be best for each stream to be saved in a separate file.
http://wiki.wireshark.org/Tools
speaks of
tcpflow Extracts data streams from TCP connections and writes each
stream to a file (GPL, BSD/Linux/Unix)
under "Monitoring/tracing tools"; see
http://www.circlemud.org/~jelson/software/tcpflow/
It doesn't handle UDP, but, as UDP is a packet-oriented rather than a
byte-stream protocol, it's less clear what a UDP "stream" is, and, as
UDP does not itself do reliable in-order delivery, it's not clear that
a file made up of all the UDP packet payloads, in sequence, glued
together would be useful. What *particular* protocols running atop
UDP are you dealing with here?