This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter. TCP stream as txt file

0

Hi guys.

Maybe there is a method, to save or convert wireshark capture file directly to txt?

For example, to get the same output into txt file, as we can see, when we press the button "Follow tcp stream" ?

asked 26 Jun '12, 07:24

jomajo's gravatar image

jomajo
1335
accept rate: 100%


One Answer:

1

You can use tshark (Version >= 1.7) for that:

tshark -r input.cap -R "tcp.stream eq 1" -z follow,tcp,ascii,1

The number is the TCP stream number.

UPDATE: You can also try the tshark option -V (all protocol fields "expanded" --> a lot of output").

tshark -r input.cap -V "tcp.stream eq 1"

You can combine both options (-V and -z).

Regards
Kurt

answered 26 Jun '12, 07:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 26 Jun '12, 08:13

We can save the capture without opening .cap file at all?

(26 Jun '12, 07:59) jomajo

I'm not sure what you mean by "save the capture without opening .cap file".

tshark expects an input file which it opens to extract the data.

Maybe you can tell me a bit more .....

(26 Jun '12, 08:01) Kurt Knochner ♦

:)

I am capturing some data. Next day, when I come to check the data, I see few .txt files generated, and when I open these, I can see just tcp stream data ( as you said, ascii characters).

It would be nice , if it is possible?

(26 Jun '12, 09:18) jomajo

Ah, you want to do it on the fly, without saving the captured data. No, that is not possible with Wireshark or tshark.

Take a look at tcpflow (Unix tool)

BTW: There is a similar question

(26 Jun '12, 17:02) Kurt Knochner ♦