 | 1 | initial version |
There are a number of issues here, firstly your use of tshark to get the raw data and then slight differences in the output format.
To save the raw data from tshark don't (-w) write to a capture file, instead redirect the output to the file, e,g.
tshark -r in.pcap -q -z follow,tcp,raw,0 > f
Note the addition of -q to suppress the dissection of the packets.
The slight differences in the output (should be, see note 1) is that tshark adds a header and trailer to the data:
===================================================================
Follow: tcp,raw
Filter: tcp.stream eq 0
Node 0: 192.168.69.10:53257
Node 1: 192.168.69.15:9091
... hex data
===================================================================
and that each new packet in the tshark output for the 2nd node (node 1) is preceded by a tab character.
Note 1: Testing with the current development buld (3.1.x) and selecting raw mode seems to save the stream data in the same format as the ASCII mode. This seems to be a bug to me.