Wireshark-dev: Re: [Wireshark-dev] Displaying an entire pcap file by TCP/UDP stream

From: "Eiland, Edward (GE, Research)" <eiland@xxxxxx>
Date: Fri, 9 May 2008 07:45:51 -0400
Title: RE: [Wireshark-dev] Displaying an entire pcap file by TCP/UDP stream

 

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Thursday, May 08, 2008 16:31
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Displaying an entire pcap file by TCP/UDP stream


On May 8, 2008, at 11:35 AM, Eiland, Edward (GE, Research) wrote:
> I have a need to review reconstituted TCP/UDP streams across an entire
> packte capture file.  While this is possible manually, it surely is
> not practical for large pcap files.  Is there a solution exist to
> automate this process?  It would, for my problem, actually be best for
> each stream to be saved in a separate file.
>

        http://wiki.wireshark.org/Tools

speaks of

        tcpflow Extracts data streams from TCP connections and writes each stream to a file (GPL, BSD/Linux/Unix)

under "Monitoring/tracing tools"; see

        http://www.circlemud.org/~jelson/software/tcpflow/

It doesn't handle UDP, but, as UDP is a packet-oriented rather than a byte-stream protocol, it's less clear what a UDP "stream" is, and, as UDP does not itself do reliable in-order delivery, it's not clear that a file made up of all the UDP packet payloads, in sequence, glued together would be useful.  What *particular* protocols running atop UDP are you dealing with here?

Since this is for a current corporate research project, all I can say is that we're working on intrusion detection.  Wireshark can isolate UDP streams (Analyze -->Follow UDP Stream) .  We just need a way to automate the process and save each to a file.

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev