This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Follow tcp stream with tshark still can not in batch mode?

0

I tried to use the latest wireshark & tshark of version 1.90, I tried to follow tcp stream with tshark in following options:
[email protected]:~/Work/NetWork/packets$ tshark -r follow_tcp.pcapng -z follow,tcp,ascii,127.0.0.1:12345,127.0.0.1:5678

But I just can get one session between the client and server, and I want get all of the sessions, so any tips?
It's easy to build the test environment with nc, we can use
nc -p 12345 localhost 5678
as client, -p option can specific the src port, we can use nc -lk 5678
as server, then capture the tcp stream with wireshark or tshark, and the result is disappointment, I can just follow one stream, so any help?

asked 09 Oct '12, 02:54

liunx's gravatar image

liunx
16336
accept rate: 0%

edited 09 Oct '12, 03:29


One Answer:

1

But I just can get one session between the client and server, and I want get all of the sessions, so any tips?

that's only possible with scripting. You can try this:

  1. print all TCP stream numbers for the desired server/port combination.
  2. use that list to extract all streams.

for stream in `tshark -r follow_tcp.pcap -R "ip.addr eq 127.0.0.1 and tcp.port eq 5678" -T fields -e tcp.stream | sort -n -u`; do echo Stream: $stream; tshark -r follow_tcp.pcap -q -z follow,tcp,ascii,$stream; done

The other option is to use tcpflow

http://ask.wireshark.org/questions/10023/command-line-option-for-follow-tcp-stream

Regards
Kurt

answered 09 Oct '12, 10:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you very much!

(09 Oct '12, 18:24) liunx