[Douglas Ross <doug_ross_59@xxxxxxxxxxx>]

Hi Joan,

 

Thanks very much for taking the time to reply, and explain -- even doing the job for me ;)

 

I'm not familiar with tshark, as you may tell, but I guessed that the only way would probably involve concatenating files first. However, I wanted a more automated method.

 

A few years ago I did some analysis of ethereal files, and coded my own software to extract data, automatically accessing the next available file, and optionally following files in real time. However, my data extraction routine was rather basic. So I was hoping to use tshark's tcp.stream recognition process to improve on it.

 

My current project requires more work of me to better understand the data packaging layers, so I'll revisit my old code and perhaps integrate it with tshark ..

 

Thanks again, or dank u wel ;)

Goeiendag

Doug

(excuse my Dutch :(

---

From: j.snelders <j.snelders@xxxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Sat, 29 May, 2010 9:31:17 PM
Subject: Re: [Wireshark-users] tshark and tcp streams

Hi Douglas,

Can TShark statistics help you?
Create a table that lists all conversations that could be seen in the capture
file:
-z  conv,type[,filter]
http://www.wireshark.org/docs/man-pages/tshark.html

Run this script to create a table that lists the conversations in multiple
files.
Use paste--serial to merge the text files.
Use rm to remove the temporary files.

for file in `ls -1 test2905*.pcap`
do
  tshark -r $file -q -z conv,tcp > tmp-$file.txt
done
paste --serial tmp*.pcap.txt > test2905.txt
rm -f tmp-*


Look for the conversation you want to extract from the capture files:
TCP Conversations
    Filter:<No Filter>
                                                  |      <-      | |   
->      | |    Total    |
                                                  | Frames  Bytes | | Frames
Bytes | | Frames  Bytes |
    192.168.1.10:49664  <-> 207.204.17.246:80        83    121342      42
    2622    125    123964

Create a display filter:
ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 && tcp.port==80


Run this script to save the packets to separate files, merge these files
and remove the temporary files:

for file in `ls -1 test2905*.pcap`
do
  tshark -r $file -w tmp-$file -R "ip.addr==192.168.1.10 && tcp.port==49664
&& ip.addr==207.204.17.246 && tcp.port==80"
done
mergecap -w test2905c.pcap tmp-*
rm -f tmp-*


Hope this helps
Joan


On Fri, 28 May 2010 21:29:42 +0000 (GMT) Douglas Ross wrote:
>Thanks to Abhik for revealing the tshark commands: -T fields -e tcp.stream
>(see tshark command 19-21 May)
>
>But, does anyone know how to get tshark to follow streams across capture
>files ?
>
>Cheers
>Doug


     


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe