 | 1 | initial version |
If you're trying to process multiple flows, then you will most likely need to script something, and as Jasper alluded to, the stream number can be used as the key to doing this; however, first you have to find out how many streams there are.
For convenience, I'm pasting a script that Sake originally provided in his answer to the question, "Easy way to save tcp streams?" over at the old Q&A site, along with my follow-up for Windows:
for stream in `tshark -r <pcapfile> -T fields -e tcp.stream | sort -n | uniq`
do
echo $stream
tshark -r <pcapfile> -w stream-$stream.cap -R "tcp.stream==$stream"
done
If you're using Cygwin on the Windows platform, you may need to pipe the output of uniq to sed to remove the extraneous carriage return; otherwise you may see an invalid address:port pair error message, i.e.:
for stream in `tshark -r <pcapfile> -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//'`
Obviously, you may need to modify the tshark command to suit your exact needs.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.