Tshark TCP stream assembly

asked 2018-01-22 13:45:41 +0000

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I want to use Tshark to do TCP stream assembly .But I can only find the command in user's guide. “tshark -r pcapfile tcp.stream > outfile.txt” "tshark -r pcapfile conv.tcp"> outfile.txt But I want to follow all tcp conversations and split the tcp stream in the same conversation into different files.What should I do? eg: tcpconversation1.txt, includes the whole tcp streams in the tcp conversations.

edit retag flag offensive close merge delete

Comments

Can you expand on your question a bit? Do you want the output file to contain all the packets from tcp steam 0, followed by tcp stream 1, etc., or do you want each stream in a separate file, e.g. tcp stream 0 in tcpconversation0.txt, etc.

grahamb ( 2018-01-22 14:10:04 +0000 )edit

Thanks for your question.I want the tcp streams in the same conversation in the same file. Suppose there is a conversation between a & b, there are ten tcp streams in the conversation, I want the ten tcp streams in the same file.

wkwj ( 2018-01-22 14:16:22 +0000 )edit

code：

#!usr/bin/python
import os

for m in range(14):
    print("tshark -r data/aim_chat_3a.pcap tcp.stream eq %i>data/%i.txt" %(m, m))
    os.system("tshark -r data/aim_chat_3a.pcap tcp.stream eq %i>data/%i.txt" %(m, m))

wkwj ( 2018-01-22 16:30:11 +0000 )edit

Sorry,I really don't know how to put the code with format.

wkwj ( 2018-01-22 16:31:24 +0000 )edit

output:

C:\Apps\Wireshark>python atestpython.py
tshark -r data/aim_chat_3a.pcap tcp.stream eq 0>data/0.txt
tshark: Unexpected end of filter string.
tshark -r data/aim_chat_3a.pcap tcp.stream eq 1>data/1.txt
tshark: Unexpected end of filter string.
tshark -r data/aim_chat_3a.pcap tcp.stream eq 2>data/2.txt
tshark -r data/aim_chat_3a.pcap tcp.stream eq 3>data/3.txt
tshark: Unexpected end of filter string.
tshark -r data/aim_chat_3a.pcap tcp.stream eq 4>data/4.txt
tshark: Unexpected end of filter string.
tshark -r data/aim_chat_3a.pcap tcp.stream eq 5>data/5.txt
tshark: Unexpected end of filter string.
tshark -r data/aim_chat_3a.pcap tcp.stream eq 6>data/6.txt
tshark: Unexpected end of filter string.
tshark -r data/aim_chat_3a.pcap tcp.stream eq 7>data/7.txt
tshark: Unexpected end of filter string.
tshark -r data/aim_chat_3a.pcap tcp.stream eq 8>data/8.txt
tshark: Unexpected end ...

(more)

wkwj ( 2018-01-22 16:35:37 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2018-01-22 16:51:54 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

For your posted python issue, try adding a space between the tcp stream index and the output redirection operator ">", i.e.

#!usr/bin/python
import os

for m in range(14):
    print("tshark -r data/aim_chat_3a.pcap tcp.stream eq %i >data/%i.txt" %(m, m))
    os.system("tshark -r data/aim_chat_3a.pcap tcp.stream eq %i >data/%i.txt" %(m, m))

edit flag offensive delete link

Comments

It works!Thank you !

wkwj ( 2018-01-22 16:58:59 +0000 )edit

If the answer has solved your issue, please accept it to help others who may have the same issue, by clicking the checkmark icon to the left of the answer.

grahamb ( 2018-01-22 17:50:47 +0000 )edit

add a comment

answered 2018-01-22 14:31:28 +0000

grahamb

23790 ●4 ●950 ●227 https://www.wireshark.org

You can add a display filter to only output packets that are sent from a to b or from b to a, e.g.

-Y ((ip.src == a) && (ip.dst == b)) || ((ip.src == b) && (ip.dst == a))

if you need to make sure only tcp packets are included, then append an additional filter element for tcp, e.g.

&& tcp

edit flag offensive delete link

Comments

I'm not just want the only one tcp conversation between a and b.I also want the conversation between b and c, c and e ....I want all conversations in the packets. We can use the filter in wireshark " tcp.stream eq 0", then we will get all the packets in this conversation 0 and export it to the file tcpconversation0.txt. And when we use the filter " tcp.stream eq 1", we can export tcpconversation1.txt. But it's slow when the packet in huge and complication if I get tcpconversation*.txt by change the num in "tcp.stream eq num" , I also don't know the exactly numbers how many conversations in the packet. So please tell me how can I achieve by Tshark?

wkwj ( 2018-01-22 14:49:26 +0000 )edit

You can't directly do what you want. A tcp stream only consists of traffic between the same two hosts, so will only be a & b.

Is there some other specific way to describe the traffic you want to output, using tcp stream index doesn't really seem to be what you're wanting?

grahamb ( 2018-01-22 15:04:16 +0000 )edit

Sorry......I use python to run the conmands....to get what I want.But I met a error.I will add the code and the error in the answer.Thanks for answer my question.

wkwj ( 2018-01-22 16:24:39 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Tshark TCP stream assembly

Comments

2 Answers

Comments

Comments

Your Answer

Question Tools

Stats

Related questions

Tshark TCP stream assembly edit

Comments

2 Answers

Comments

Comments

Your Answer

Question Tools

Stats

Related questions

Tshark TCP stream assembly