how to get output like when using -z?

asked 2017-12-03 13:55:19 +0000

I have been using this script to automatically split a pcap file into single tcp streams:

for stream in $(tshark -r $1 -T fields -e tcp.stream | sort -n | uniq)
do
    echo $stream
    tshark -r $1 -w $2/stream-$stream.cap -Y "tcp.stream==$stream"
done

now, for each single capture file that represents a stream I would like to read it with the same format that you get when you follow a stream using -z, for example

tshark -r somefile.pcap -z "follow,http,ascii,172.18.0.6:57238,172.18.0.4:8081"

does some option that does this exist?

answered 2018-07-18 20:36:42 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

I realize this is a very old question, but in case it helps, here's a solution:

Since each capture file contains only a single TCP stream, you can simply specify the stream number 0. For example:

tshark -q -r somefile.pcap -z follow,http,ascii,0

NOTE Most likely, you probably want to also use the -q option to suppress individual packet information from being displayed.

Refer to the tshark man page for more information about the -z follow ... option and its syntax.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

how to get output like when using -z?

1 Answer

Your Answer

Question Tools

Stats

how to get output like when using -z? edit

1 Answer

Your Answer

Question Tools

Stats

how to get output like when using -z?