Ask Your Question

Revision history [back]

There are a number of issues here, firstly your use of tshark to get the raw data and then slight differences in the output format.

To save the raw data from tshark don't (-w) write to a capture file, instead redirect the output to the file, e,g.

tshark -r in.pcap -q -z follow,tcp,raw,0 > f

Note the addition of -q to suppress the dissection of the packets.

The slight differences in the output (should be, see note 1) is that tshark adds a header and trailer to the data:

===================================================================
Follow: tcp,raw
Filter: tcp.stream eq 0
Node 0: 192.168.69.10:53257
Node 1: 192.168.69.15:9091

... hex data
===================================================================

and that each new packet in the tshark output for the 2nd node (node 1) is preceded by a tab character.

Note 1: Testing with the current development buld (3.1.x) and selecting raw mode seems to save the stream data in the same format as the ASCII mode. This seems to be a bug to me.