Ask Your Question
0

tshark tcp stream

asked 2020-12-06 20:50:27 +0000

moraist gravatar image

How can I select a TCP stream using the tshark?

edit retag flag offensive close merge delete

Comments

What is the goal? To filter frames in a TCP stream or to follow a TCP stream?

Chuckc gravatar imageChuckc ( 2020-12-06 20:57:21 +0000 )edit

Follow a TCP stream

moraist gravatar imagemoraist ( 2020-12-06 21:06:10 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-12-06 21:55:55 +0000

Chuckc gravatar image

updated 2020-12-06 22:39:32 +0000

Example file: telnet-cooked.pcap from the Wireshark wiki Sample Captures
Documentation available in User's Guide (Following Protocol Streams) and the tshark man page.

ask_wireshark$ tshark -r telnet-cooked.pcap -T fields -e tcp.stream | sort -n | uniq
0
ask_wireshark$
ask_wireshark$ tshark -r telnet-cooked.pcap -z follow,tcp,hex,0 -q

===================================================================
Follow: tcp,hex
Filter: tcp.stream eq 0
Node 0: 192.168.0.2:1550
Node 1: 192.168.0.1:23
00000000  ff fd 03 ff fb 18 ff fb  1f ff fb 20 ff fb 21 ff  ........ ... ..!.
00000010  fb 22 ff fb 27 ff fd 05  ff fb 23                 ."..'... ..#
        00000000  ff fd 25                                          ..%
0000001B  ff fc 25                                          ..%
        00000003  ff fb 03 ff fd 18 ff fd  1f ff fd 20 ff fd 21 ff  ........ ... ..!.
        00000013  fd 22 ff fa 22 01 0b ff  f0                       .".."... .
0000001E  ff fa 1f 00 50 00 20 ff  f0 ff fa 22 03 01 00 00  ....P. . ..."....
0000002E  03 62 03 04 02 0f 05 00  00 07 62 1c 08 02 04 09  .b...... ..b.....
0000003E  42 1a 0a 02 7f 0b 02 15  0f 02 11 10 02 13 11 00  B....... ........
0000004E  00 12 00 00 ff f0 ff fd  03 ff fa 22 01 0f ff f0  ........ ..."....
        0000001C  ff fd 27 ff fb 05 ff fd  23 ff fb 26 ff fd 26 ff  ..'..... #..&..&.
        0000002C  fd 24                                             .$
0000005E  ff fe 26 ff fc 26 ff fc  24                       ..&..&.. $
        0000002E  ff fa 20 01 ff f0 ff fa  23 01 ff f0 ff fa 27 01  .. ..... #.....'.
        0000003E  ff f0 ff fa 18 01 ff f0                           ........
00000067  ff fa 20 00 39 36 30 30  2c 39 36 30 30 ff f0 ff  .. .9600 ,9600...
00000077  fa 23 00 62 61 6d 2e 7a  69 6e 67 2e 6f 72 67 3a  .#.bam.z ing.org:
00000087  30 2e 30 ff f0 ff fa 27  00 00 44 49 53 50 4c 41  0.0....' ..DISPLA
00000097  59 01 62 61 6d 2e 7a 69  6e 67 2e 6f 72 67 3a 30  Y.bam.zi ng.org:0
000000A7  2e 30 ff f0 ff fa 18 00  78 74 65 72 6d 2d 63 6f  .0...... xterm-co
000000B7  6c 6f 72 ff f0                                    lor..
        00000046  ff fd 01                                          ...
000000BC  ff fc 01                                          ...
        00000049  ff fb 01 ff fa 21 02 ff  f0 ff fc 01              .....!.. ....
000000BF  ff fd 01 ff fe 01                                 ......
        00000055  ff fa 22 03 05 80 00 11  80 00 12 80 00 ff f0     .."..... .......
        00000064  0d 0a 4f 70 65 6e 42 53  44 2f 69 33 38 36 20 28  ..OpenBS D/i386 (
        00000074  6f 6f 66 29 20 28 74 74  79 70 32 29 0d 0a 0d 0a  oof) (tt yp2)....
        00000084  6c 6f 67 69 6e 3a 20                              login:
000000C5  66 61 6b 65 0d 0a                                 fake..
<snip>
        00000559  24 20                                             $
00000101  65 78 69 74 0d 0a                                 exit..
===================================================================
ask_wireshark$


Depending on the use, you may want to change ... (more)

edit flag offensive delete link more

Comments

C'mon, PowerShell has been available for 14 years now, let go of DOS:

PS> tshark -r telnet-cooked.pcap -T fields -e tcp.stream | Sort-Object -Unique
grahamb gravatar imagegrahamb ( 2020-12-07 14:16:28 +0000 )edit

Thanks! I was thinking about adding a PS example but still afraid of it. I was just on the verge of learning it when WSL came out. Sound like I need to join the "real programmers" in 2021. :-)

Chuckc gravatar imageChuckc ( 2020-12-07 14:40:40 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-12-06 20:50:27 +0000

Seen: 2,279 times

Last updated: Dec 06 '20