I have been using this script to automatically split a pcap file into single tcp streams:
for stream in $(tshark -r $1 -T fields -e tcp.stream | sort -n | uniq)
do
echo $stream
tshark -r $1 -w $2/stream-$stream.cap -Y "tcp.stream==$stream"
done
now, for each single capture file that represents a stream I would like to read it with the same format that you get when you follow a stream using -z, for example
tshark -r somefile.pcap -z "follow,http,ascii,172.18.0.6:57238,172.18.0.4:8081"
does some option that does this exist?
