Wireshark-users: Re: [Wireshark-users] how to grab printable text from entire TCP stream

Date: Wed, 14 Jan 2009 14:37:19 -0800 (PST)
Well, I've been playing around with exporting TCP stream and ngrep'ing through it...no luck...Here's what I tried


ngrep -W byline -I test.pcap (-I for input, test.pcap name of input file)...result...still got something that looked the same...tried a plethora of other ngrep combos too...sll seem to give me similiar results and not quite what I was looking for.

T 172.21.50.9:2292 -> 172.31.0.59:1433 [AP]
..._......
.....c........2....S.E.L.E.C.T. .U.N.D.E.R._.O.P.E.R.A.T.I.O.N.,.R.E.V.I.S.I.O.N._.S.T.G.,.T.D.M._.S.F._.S.E.R.V.I.C.E.,.T.D.M._.S.U.P.P.O.R.T.E.D._.C.L.B.,.T.D.M._.P.A.R.T._.C.H.E.C.K.,.T.D.M._.S.E.C.U.R.E.D._.B.Y. .F.R.O.M. .T.N._.D.O.C.U.M.E.N.T.A.T.I.O.N. . .W.H.E.R.E. [email protected][email protected]. .i.n.t...&..DK..
#
T 172.31.0.59:1433 -> 172.21.50.9:2292 [A]
......
#
T 172.31.0.59:1433 -> 172.21.50.9:2292 [AP]
.....R.........&..U.N.D.E.R._.O.P.E.R.A.T.I.O.N.....&..R.E.V.I.S.I.O.N._.S.T.G.....&..T.D.M._.S.F._.S.E.R.V.I.C.E.....&..T.D.M._.S.U.P.P.O.R.T.E.D._.C.L.B.....&..T.D.M._.P.A.R.T._.C.H.E.C.K............4.T.D.M._.S.E.C.U.R.E.D._.B.Y........................... .........y.............
##
T 172.21.50.9:2292 -> 172.31.0.59:1433 [A]

I was really hopefuly this would give me what I needed after seeing the HTTP example on the ngrep usage page, but alas...still pretty stuck :(

Thanks to everyone for replies...any other thoughts?

TC

 


----- Original Message ----
From: Network Fortius <netfortius@xxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Sunday, January 11, 2009 9:22:51 PM
Subject: Re: [Wireshark-users] how to grab printable text from entire TCP stream

What if you'd save the TCP stream from wireshark/tshark, then ngrep
the resulting dump file (see pcap file processing examples here:
http://ngrep.sourceforge.net/usage.html) ?

Stefan

On Fri, Jan 9, 2009 at 3:25 PM, T c <tcastellanos619@xxxxxxxxx> wrote:
> Hi all,
>
> I often need to grab all printable text from an entire TCP stream for analysis, not just a single packet.
>
> I'm referring to the option of highlighting a selected packet in a trace, r-clicking, and selecting copy, printable text.
>
> I need to be able to, for example, I r-click a packet and select follow tcp stream...but from here, I need to grab all printable text from the entire trace.
>
> Anyone know a way to do this?
>
> TIA!
>
> TC
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe