using command line option to save major udp/tcp flows

Question

Can anyone please tell me what is the difference between wireshark, ethereal and tshark ? And which one should be used for my below problem ?

i want to save the major udp/tcp flows (by major i mean having maximum number of bytes) using command line ethereal (or tshark/wireshark if not possible with ethereal) , to a separate pcap. Then sometimes, i would like to even save the 2nd major udp & tcp flows (want to save udp and tcp flows separately) in a separate pcap. just to start with using command line ethereal, i used following cmd to save tcp conversation in a separate pcap file but this too doesn't work (rather it opens a gui window with tcp flows but doesn't save in separate file)

ethereal -r sample.pcap -z conv,tcp -w ./sample_tcp.pcap

Please let me know how can i save the major flows. any help will be greatly appreciated. thanks.

Accepted Answer

Ethereal is the old name for Wireshark and any executables of that name are obsolete and shouldn't be used.

Wireshark is a GUI protocol analyzer, tshark is the command line version of Wireshark. tshark can output conversations (the *shark name for flows) using the -z conv,tcp option you have listed. The output is a text table with the conversations listed in order of total number of frames.

To save each flow in the original capture file to a separate file of its own will require some scripting to:

Determine the top flow in the original capture using the sort order of your choice by parsing the output of z conv,tcp
Calculate a read filter for that flow (source and dest IP's and ports ??).
Read the original file, applying the filter obtained in 2. and outputting the result to a new file.