Wireshark-users: Re: [Wireshark-users] Dumping multiple filters out to files?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 25 Oct 2008 13:19:41 -0700

On Oct 25, 2008, at 7:42 AM, Patrick M Geahan wrote:

Linux-specific answer ahead.

I recently had to solve the same problem; in my case, I used a
tool called tcpflow(http://www.circlemud.org/~jelson/software/ tcpflow/)

Not exactly Linux-specific - that page says:

	Contributed Builds and Packages (off-site)
		• Packages for Slackware contributed by Kanedaaa
		• Debian package by Robert McQueen
		• FreeBSD Port by Jose M. Alcaide
		• OpenBSD Package (it's in there somewhere)
		• Solaris 8 SPARC Binary for v0.12 from SunFreeware.com
		• Mac OS X package by Marc Liyanage

I don't know whether there's a Windows port, but I wouldn't be surprised.

I did run into one minor issue with tcpflow, namely that it added
one byte to the beginning of all of the raw files.  This may perhaps
be a particular fluke of the method I've been using to analyze the
files, which started out as packeteer format before I converted
to pcap.

Possibly, but I'd expect it to affect *every* packet, so there'd be bytes inserted into the file at various points.

How did you convert Packeteer format to libpcap?

"You know, this is how the sum total of human knowledge is increased.
Not with idle speculation and meaningless chatter, but with a
medium-sized hammer and some free time." - spam.sc@xxxxxxxxx, a.f.c-a

(That's "alt.fan.cecil-adams":

	http://groups.google.com/group/alt.fan.cecil-adams/msg/525fe2bebe3cc095

for those who are curious.)