[Abhik Sarkar <sarkar.abhik@xxxxxxxxx>]

Hi David,

Not sure if you are using Windows or *nix, but if you are on the latter, a script similar to this might work:

for stream_id in `tshark -T fields -e tcp.stream -r server.pcap -R "data contains NTF0"`
do
  tshark -r server.pcap -w server"$stream_id".pcap -R "tcp.stream eq $stream_id"
done

HTH,
Abhik
PS: I haven't checked the exact syntax or run the command, but it's just the idea.

On Wed, May 19, 2010 at 8:49 PM, David Milbourne <dmilbo@xxxxxxxxx> wrote:

Hello,

I'm trying to figure out how to use Wireshark's "Follow TCP Stream" feature in tshark.  For example, I have a PCAP file and I'd like to extract out all of the .ntf files.  I know if I type:

tshark -r server.pcap -R "data contains NTF0"

This will show me a list of the streams in the PCAP file that contain the above string.  However, how can I re-create these files (similar to "Follow TCP Stream" and "save as" in Wireshark)?

Thank-you,
DM

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe