This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

follow stream with more information in tshark

0

Hi I want to save 2000 streams in separate txt files but for my work I need each of ascii files involes full information about all packets that made the stream like follow tcp in wireshark!

I ran this script:

  for stream in $(tshark -nlr $file -Y tcp.flags.syn==1 -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//')
    do
        echo "Processing stream $stream"
        tshark -nlr $file -qz "follow,tcp,ascii,$stream" > stream-$stream.log
    done

but this script give me just a little information like that:

 Follow: tcp,ascii
    Filter: tcp.stream eq 962
    Node 0: 245.234.7.168:51099
    Node 1: 40.170.249.141:80

I want to save all of information about all packets in the stream in one file. tnx

asked 30 Aug '13, 23:43

Soroor's gravatar image

Soroor
21448
accept rate: 0%

by running this script, information for all of streams are 2 lines "node 0 and node 1"(for stream 0 to 2000) ! for example for stream 0:

Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 245.234.7.50:57850
Node 1: 40.170.249.45:995

like stream 962 that I have mentioned before!

in wireshark with running tcp.stream eq 0 I can see many more information like length,flags,TTL and etc for all packets in that specific stream. is there any script to do this in tshark? cause I need all of this information for programming on my trace in separate stream files. tnx for your attention.

(31 Aug '13, 07:44) Soroor

2 Answers:

0

What makes you think there is more information available for that stream, 962 in this case? What more does Wireshark show if you filter using tcp.stream eq 962 then "Follow TCP Stream"? More than likely, there's no data being transferred for that particular stream and so there's nothing more to show/save.

answered 31 Aug '13, 07:15

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

0

I'm not sure, but I believe you want to write single TCP conversations/streams into separate files, possibly in pcap format.

Well, there are several ways to do that.

Please see the answers for the following questions and the tools mentioned there.

http://ask.wireshark.org/questions/16690/split-pcap-file-into-smaller-pcap-file-according-to-tcp-flow
http://ask.wireshark.org/questions/4677/easy-way-to-save-tcp-streams
http://ask.wireshark.org/questions/19995/automated-tcp-reassembler

See also the tools here

http://wiki.wireshark.org/Tools

If I misunderstand your questions, please add more details.

Regards
Kurt

answered 31 Aug '13, 14:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%