Ask Your Question

Comparing TShark & Wireshark "Follow Stream"

asked 2020-01-13 08:35:24 +0000

johnorford gravatar image

updated 2020-01-13 08:36:10 +0000

When I compare the output of this command,

 & 'C:\Program Files\Wireshark\tshark.exe' -nr 'D:\pcap\test\output_0932.pcap' -z follow,tcp,raw,0 -Y tcp -w tshark.dat | Out-Null

which I believe should be the equivalent of "follow TCP stream" in the Wireshark GUI I get different outputs.

The TShark output is more or less the same, but there is more (a TShark header at the top is one example).

Is there anyway to get exactly the same output?

The GUI gives me what I want, but I would like to script the process using TShark.


edit retag flag offensive close merge delete


Do you mean the header like:

Follow: tcp,raw
Filter: eq 0
Node 0:
Node 1:

If so, no there is no way (currently) to remove that with the -z options.

grahamb gravatar imagegrahamb ( 2020-01-13 11:39:02 +0000 )edit

Thanks for the replies guys. I will work through them - for the time being ->

To be clear, the whole target is to reproduce two lines of Bash with something that runs for users on Windows (grr).

Here is the relevant part of what I am trying to reproduce here:

tcptrace -e output_0932.pcap

which extracts the TCP payloads - this is also what is done with the GUI.

I would like to not have users install Cygwin etc. if possible - that's why I am putting myself through this pain..

johnorford gravatar imagejohnorford ( 2020-01-13 19:54:31 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-01-13 17:50:46 +0000

cmaynard gravatar image

The tshark.dat file is actually a pcapng file containing the matching packets of the given tcp filter; it's not the same as the follow TCP stream output of Wireshark at all, which only contains the relevant stream's TCP payload data.

Maybe this is more what you're looking for?

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp -w tshark.dat

... and if you want to eliminate the extraneous information at the top, then you can use tail -n +x to do that, where x is the line you want to start with, thus eliminating the x-1 previous lines. For example:

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | tail -n +9 > tshark.dat

... and since you're on Windows, if you don't have Cygwin installed, and thus you don't have tail at your disposal, then you should be able to accomplish the same thing (more or less) with PowerShell commands. For example:

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | powershell -noninteractive -noprofile -c "$input | Select-Object -Skip 8" > tshark.dat

... and if you want to remove the blank lines:

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | powershell -noninteractive -noprofile -c "$input | Select-Object -Skip 8 | ? {$_.trim() -ne \"\" }" > tshark.dat
edit flag offensive delete link more


The examples seem to be a bit long-winded if the user is already running in a PowerShell session (as the Out-Null) would indicate. In this case use:

& C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | Select-Object -Skip 8 | Out-File -Encoding utf8 tshark.dat

Note the use of Out-File to control the encoding of the output file. The default PowerShell output, when using redirection or Out-File, is (currently) UTF16LE which may not be want you want to subsequently use.

Another way to strip blank lines is to pipe through Which-Object { $_ }

I also found that I only needed to skip 6 lines to remove the header info and the output still retains the trailer (====...) and all but the first line if data is prefixed by a tab.

grahamb gravatar imagegrahamb ( 2020-01-13 18:18:17 +0000 )edit

My examples were run from a cmd prompt, and I don't doubt they weren't optimal, especially if already running from a PowerShell session. I'm definitely not a PowerShell expert, so feel free to use @grahamb's modified examples or whatever else works best.

The main point of my answer was to clarify the -w output, illustrate that ascii and not raw was what was probably desired, and to show that it's possible to skip past any preceding headers and only focus on the TCP payload.

cmaynard gravatar imagecmaynard ( 2020-01-13 18:27:50 +0000 )edit

It looks like raw matches the output from tcptrace -e which works well on Bash..

As I said, the GUI nails it, unfortunately tricky with tshark side of things..

johnorford gravatar imagejohnorford ( 2020-01-13 20:05:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-01-13 08:35:24 +0000

Seen: 2,164 times

Last updated: Jan 13 '20