# Comparing TShark & Wireshark "Follow Stream"

When I compare the output of this command,

 & 'C:\Program Files\Wireshark\tshark.exe' -nr 'D:\pcap\test\output_0932.pcap' -z follow,tcp,raw,0 -Y tcp -w tshark.dat | Out-Null


which I believe should be the equivalent of "follow TCP stream" in the Wireshark GUI I get different outputs.

The TShark output is more or less the same, but there is more (a TShark header at the top is one example).

Is there anyway to get exactly the same output?

The GUI gives me what I want, but I would like to script the process using TShark.

Thanks!

edit retag close merge delete

Do you mean the header like:

===================================================================
Follow: tcp,raw
Filter: tcp.stream eq 0
Node 0: 127.0.0.1:33412
Node 1: 127.0.0.1:8080


If so, no there is no way (currently) to remove that with the -z options.

( 2020-01-13 11:39:02 +0000 )edit

Thanks for the replies guys. I will work through them - for the time being ->

To be clear, the whole target is to reproduce two lines of Bash with something that runs for users on Windows (grr).

Here is the relevant part of what I am trying to reproduce here:

tcptrace -e output_0932.pcap


which extracts the TCP payloads - this is also what is done with the GUI.

I would like to not have users install Cygwin etc. if possible - that's why I am putting myself through this pain..

( 2020-01-13 19:54:31 +0000 )edit

Sort by » oldest newest most voted

The tshark.dat file is actually a pcapng file containing the matching packets of the given tcp filter; it's not the same as the follow TCP stream output of Wireshark at all, which only contains the relevant stream's TCP payload data.

Maybe this is more what you're looking for?

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp -w tshark.dat


... and if you want to eliminate the extraneous information at the top, then you can use tail -n +x to do that, where x is the line you want to start with, thus eliminating the x-1 previous lines. For example:

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | tail -n +9 > tshark.dat


... and since you're on Windows, if you don't have Cygwin installed, and thus you don't have tail at your disposal, then you should be able to accomplish the same thing (more or less) with PowerShell commands. For example:

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | powershell -noninteractive -noprofile -c "$input | Select-Object -Skip 8" > tshark.dat  ... and if you want to remove the blank lines: C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | powershell -noninteractive -noprofile -c "$input | Select-Object -Skip 8 | ? {$_.trim() -ne \"\" }" > tshark.dat  more ## Comments The examples seem to be a bit long-winded if the user is already running in a PowerShell session (as the Out-Null) would indicate. In this case use: & C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | Select-Object -Skip 8 | Out-File -Encoding utf8 tshark.dat  Note the use of Out-File to control the encoding of the output file. The default PowerShell output, when using redirection or Out-File, is (currently) UTF16LE which may not be want you want to subsequently use. Another way to strip blank lines is to pipe through Which-Object {$_ }

I also found that I only needed to skip 6 lines to remove the header info and the output still retains the trailer (====...) and all but the first line if data is prefixed by a tab.

( 2020-01-13 18:18:17 +0000 )edit

My examples were run from a cmd prompt, and I don't doubt they weren't optimal, especially if already running from a PowerShell session. I'm definitely not a PowerShell expert, so feel free to use @grahamb's modified examples or whatever else works best.

The main point of my answer was to clarify the -w output, illustrate that ascii and not raw was what was probably desired, and to show that it's possible to skip past any preceding headers and only focus on the TCP payload.

( 2020-01-13 18:27:50 +0000 )edit

It looks like raw matches the output from tcptrace -e which works well on Bash..

As I said, the GUI nails it, unfortunately tricky with tshark side of things..

( 2020-01-13 20:05:45 +0000 )edit