This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

command line option for “Follow tcp stream”

2
2

Hi , Is there any command line option to generate "Follow tcp stream"(which is availabe in GUI) ,so that we can look at the messages which are exchanged between the apllications as a whole with out having the message broken in multiple parts. Basically i wanted to track all the payload which are getting exchanged between th applications..and write it to some file..so i need to find a commandline option which will does the same thing which "Follow tcp stream" GUI does.

asked 09 Apr '12, 01:48

vikram's gravatar image

vikram
417813
accept rate: 0%

edited 09 Apr '12, 02:51


2 Answers:

3

As tshark 1.7.1 is not available on your platform (none of the big distributions provide it as a package), I recommend to use tcpflow (see also Wiki: http://wiki.wireshark.org/Tools). This tool will be provided by most of the linux distributions and it does extract the data of tcp sessions.

Example:

tcpflow -r http.cap

This creates several files, named by the IP Addresses and Ports of a conversation, e.g. 080.190.158.009.00080-192.168.030.151.52612

Sample output:

head -40 080.190.158.009.00080-192.168.030.151.52612

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 08 May 2012 09:45:18 GMT
Content-Type: text/html; charset=iso-8859-15
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
Last-Modified: Tue, 08 May 2012 05:02:00 GMT
ETag: "49db9-5a77-4965c200"
Accept-Ranges: bytes
Content-Length: 23159
Cache-Control: max-age=14400
Expires: Tue, 08 May 2012 13:45:18 GMT
<!DOCTYPE html PUBLIC "-//W4C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta name="generator" content="HTML Tidy, see www.w3.org"> <meta http-equiv="Content-Type" content= "text/html; charset=iso-8859-15"> <meta name="Author" content="LEO GmbH"> <meta name="description" content="#meta_descr#"> <meta name="keywords" content="#meta_keys#">
<title>WWW leo.org</title>

If you filter away the HTTP response headers, you will get what you are looking for.

Regards
Kurt

answered 08 May '12, 02:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 May '12, 02:57

Hi Kurt, Is there anyway to decrypt ssl using tcpflow command.I am aware of decrypting using tshark(with private key),i am trying to find if the same can be achived using tcpflow.

(16 May '12, 22:59) vikram

I'm sorry, tcpflow has no option for ssl decryption. If you need that, you should use the latest tshark. Compiling it yourself it pretty easy, especially on Ubuntu.

apt-get install build-dep wireshark

Then get the source. Extract it and run these commands in the wireshark directory.

./configure
./make install

Regards
Kurt

(17 May '12, 00:31) Kurt Knochner ♦

Unfortunately tcpflow saves client and server tcp payloads in separate files. This means that you will lost the order of payloads :(

(05 Feb '15, 06:48) SuBCo

5

Use the development version of tshark (1.7.1) and the -z follow option, e.g. -z follow,tcp,ascii,1 will display the ASCII output of tcp conversation number 1 from the input.

The -z follow option was introduced in r40856 of trunk.

answered 09 Apr '12, 03:11

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi Grahamb, Is there a linux version of tshark 1.7.1 availabe for download ,i am intrested in using the commnad line option of tshark to get the tcp stream and see the actual payload (XML in my case).

(07 May '12, 22:14) vikram

Not that I'm aware of. Until your distribution provides a pre-compiled package you'll just have to compile it yourself.

(08 May '12, 02:29) grahamb ♦