This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark equivalent of Wireshark commands

0

Is there an equivalent command line in tshark that does the following.

  • Filters the packet to TCP only (tcp.port==5555)
  • Follow TCP stream.
  • Save the file as raw.

The process will enable us to view real time video stream via TCP.

asked 09 May '16, 22:25

Dr%20Dre's gravatar image

Dr Dre
6223
accept rate: 0%


One Answer:

0

tshark -i eth0 -z "follow,tcp,raw,1" "tcp port 5555" would come close, but still requires you to process the text output into a raw file. Better option would be to consult the tools section of the wiki. Here you may find tools more suitable for your purpose.

answered 10 May '16, 01:28

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Jaap,

Thanks for that. I have seen this command before. I thought I was just getting the syntax wrong. So I tried it again yesterday. When I use the command above wireshark, I get a notification saying that z follow is not an option.

Dre Dre.

(11 May '16, 17:13) Dr Dre

@Dr Dre, because it's a command line option to tshark, not to Wireshark?

(11 May '16, 22:28) Jaap ♦

Sorrt Jaap, just clarifying. I did use this via tshark.

(11 May '16, 22:53) Dr Dre

What tshark version are we talking about here? I think it was already in by version 1.8.

(12 May '16, 02:58) Jaap ♦

Jaap,

I just checked, the version I have on my Ubuntu is 1.6.7.

Dre Dre

(18 May '16, 18:08) Dr Dre

I just changed the version of wireshark/tshark and the z follow command works. Having issues then with saving it to a file.

(18 May '16, 19:49) Dr Dre
showing 5 of 6 show 1 more comments