Wireshark-users: Re: [Wireshark-users] how to grab printable text from entire TCP stream

From: Jake Peavy <djstunks@xxxxxxxxx>
Date: Wed, 14 Jan 2009 18:57:49 -0700
On Wed, Jan 14, 2009 at 3:37 PM, T c <tcastellanos619@xxxxxxxxx> wrote:
Well, I've been playing around with exporting TCP stream and ngrep'ing through it...no luck...Here's what I tried


ngrep -W byline -I test.pcap (-I for input, test.pcap name of input file)...result...still got something that looked the same...tried a plethora of other ngrep combos too...sll seem to give me similiar results and not quite what I was looking for.

T 172.21.50.9:2292 -> 172.31.0.59:1433 [AP]
..._......
.....c........2....S.E.L.E.C.T. .U.N.D.E.R._.O.P.E.R.A.T.I.O.N.,.R.E.V.I.S.I.O.N._.S.T.G.,.T.D.M._.S.F._.S.E.R.V.I.C.E.,.T.D.M._.S.U.P.P.O.R.T.E.D._.C.L.B.,.T.D.M._.P.A.R.T._.C.H.E.C.K.,.T.D.M._.S.E.C.U.R.E.D._.B.Y. .F.R.O.M. .T.N._.D.O.C.U.M.E.N.T.A.T.I.O.N. . .W.H.E.R.E. [email protected][email protected]. .i.n.t...&..DK..
#
T 172.31.0.59:1433 -> 172.21.50.9:2292 [A]
......
#
T 172.31.0.59:1433 -> 172.21.50.9:2292 [AP]
.....R.........&..U.N.D.E.R._.O.P.E.R.A.T.I.O.N.....&..R.E.V.I.S.I.O.N._.S.T.G.....&..T.D.M._.S.F._.S.E.R.V.I.C.E.....&..T.D.M._.S.U.P.P.O.R.T.E.D._.C.L.B.....&..T.D.M._.P.A.R.T._.C.H.E.C.K............4.T.D.M._.S.E.C.U.R.E.D._.B.Y........................... .........y.............
##
T 172.21.50.9:2292 -> 172.31.0.59:1433 [A]

I was really hopefuly this would give me what I needed after seeing the HTTP example on the ngrep usage page, but alas...still pretty stuck :(

Thanks to everyone for replies...any other thoughts?
 
 
Do you have a sample capture you could provide with a few packets and the _exact_ expected result?  I think that providing this information would yield a satisfactory result.
 
-jp