Wireshark-users: Re: [Wireshark-users] tshark Question

From: Average Guy <averageguy333@xxxxxxxxx>
Date: Tue, 28 Dec 2010 07:02:45 -0800 (PST)
Thanks for your help. I am not exactly sure what you are referring to when you say "tracefile" but as for selecting particular stream, I am interested in all streams so I first get a list of all stream ID's and then :
tshark -r in.pcap -w out.pcap -R "tcp.stream eq StreamID" 
Also I am interested in more than just "HTTP" since "Follow TCP Stream" covers more than just HTTP. It looks like I am left with no option and need to make some changes to tshark and recompile.

AG


From: Sake Blok <sake@xxxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Tue, December 28, 2010 4:18:09 AM
Subject: Re: [Wireshark-users] tshark Question

It does not seem to be that nobody wants this functionality, but I guess most people use the tools available under linux to achieve their goals. One problem with implementing "follow XXX stream" for tshark is how to select the particular stream you're interested in as there are generally many streams in one tracefile.

If you look on ask.wireshark.org, you will see someone else needing this functionality and solving it by outputting XML data from a tracefile and merging the data to get whole HTTP requests and responses.

In other words, if you really need this functionality, you either need to develop it yourself or fill in an enhancement request @ https://bugzilla.wireshark.org. But in the latter case, there is no guarantee that it will be developed as there is a lot of things people would like to add to Wireshark.

Cheers,


Sake


On 28 dec 2010, at 03:39, Average Guy wrote:

> Thanks Abhijit, a few issues with this thread, most important being I am using Windows which rules out tcpflow and any other *nix based tool. Also, I am not searching for any particular string and I need output(printed or saved ) exactly like "Follow TCP Stream->Save As" in Wireshark. I am trying to convince myself that there is an option in tshark since the bevaior is defined in Wireshark... but I am having a hard time believing there is hardly anyone out there in search of similar functionality.
>
> AG
>
> From: Abhijit Bare <abhibare@xxxxxxxxx>
> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
> Sent: Mon, December 27, 2010 5:51:03 PM
> Subject: Re: [Wireshark-users] tshark Question
>
> Wondering if this thread will help you...
>
> http://www.wireshark.org/lists/wireshark-users/201005/msg00221.html
>
> On Mon, Dec 27, 2010 at 1:19 PM, Average Guy <averageguy333@xxxxxxxxx> wrote:
> Better way of putting this, I am looking for the same output as in wireshark:
>
> Follow TCP Stream->Save As(Raw)
>
> -AG
>
> From: Average Guy <averageguy333@xxxxxxxxx>
> To: wireshark-users@xxxxxxxxxxxxx
> Sent: Mon, December 27, 2010 1:27:14 PM
> Subject: [Wireshark-users] tshark Question
>
> Greetings,
>
> I am trying to extract the TCP Payload from reassembled TCP streams in Windows. The data I am interested in can be found in tshark output when -x option is used. When -x is used, the section/filed is called "Reassembled TCP". I can not find an option or field in tshark to print or output this section. In short I am trying to do the same thing tcpflow does in Linux and dump the payload of reassembled TCP streams. There is no particular reason why I am using tshark since it is the only tool(win32) I have found so far but I am open to suggestions.  Thank you in advance.
>
> AG
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe