If I have a trace with say 20 tcp streams, is there an easy way to save out each tcp stream to its own separate file, whether it be using tshark, editcap, gui, etc.? Or is the only way to do this to use a display filter for each stream and save as one by one?

Thanks!

asked 22 Jun '11, 13:35

seyerekim's gravatar image

seyerekim
6335
accept rate: 0%


If you want to split the file into separate files in pcap format, each containing one tcp stream, you can do that with a little scripting around tshark. If you are only interested in the tcp payload of each stream, you'd have to use a tool like "tcpflow".

Assuming the first, you can do this by the following (just an example):

for stream in `tshark -r <pcapfile> -T fields -e tcp.stream | sort -n | uniq`
do
    echo $stream
    tshark -r <pcapfile> -w stream-$stream.cap -R "tcp.stream==$stream"
done

(You can also just do a for loop to the highest tcp.stream number, but there may be gaps in the tcp.stream numbering as it reuses the conversation index and there may be other conversations than tcp)

link

answered 22 Jun '11, 15:46

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848219
accept rate: 19%

edited 22 Jun '11, 15:47

Thanks Sake, this helps!

(22 Jun '11, 19:54) seyerekim

FYI, on Windows using cygwin, you may need to pipe the output of uniq to sed to remove the extraneous carriage return; otherwise you may see an invalid address:port pair error message, i.e.:

for stream in `tshark -r <pcapfile> -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//'`

See also this question and my answer there.

(31 Aug '13, 18:05) cmaynard ♦

This is right meeting your requirement. https://github.com/caesar0301/pkt2flow

link

answered 25 Dec '12, 03:59

Jamin's gravatar image

Jamin
21
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×34

Asked: 22 Jun '11, 13:35

Seen: 5,236 times

Last updated: 31 Aug '13, 18:06

powered by OSQA