The tshark.dat file is actually a pcapng file containing the matching packets of the given tcp filter; it's not the same as the follow TCP stream output of Wireshark at all, which only contains the relevant stream's TCP payload data.
Maybe this is more what you're looking for?
C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp -w tshark.dat
... and if you want to eliminate the extraneous information at the top, then you can use tail -n +x to do that, where x is the line you want to start with, thus eliminating the x-1 previous lines. For example:
C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | tail -n +9 > tshark.dat
... and since you're on Windows, if you don't have Cygwin installed, and thus you don't have tail at your disposal, then you should be able to accomplish the same thing (more or less) with PowerShell commands. For example:
C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | powershell -noninteractive -noprofile -c "$input | Select-Object -Skip 8" > tshark.dat
... and if you want to remove the blank lines:
C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | powershell -noninteractive -noprofile -c "$input | Select-Object -Skip 8 | ? {$_.trim() -ne \"\" }" > tshark.dat
Do you mean the header like:
If so, no there is no way (currently) to remove that with the
-zoptions.Thanks for the replies guys. I will work through them - for the time being ->
To be clear, the whole target is to reproduce two lines of Bash with something that runs for users on Windows (grr).
Here is the relevant part of what I am trying to reproduce here:
which extracts the TCP payloads - this is also what is done with the GUI.
I would like to not have users install Cygwin etc. if possible - that's why I am putting myself through this pain..