This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

using command line option to save major udp/tcp flows

0

Can anyone please tell me what is the difference between wireshark, ethereal and tshark ? And which one should be used for my below problem ?

i want to save the major udp/tcp flows (by major i mean having maximum number of bytes) using command line ethereal (or tshark/wireshark if not possible with ethereal) , to a separate pcap. Then sometimes, i would like to even save the 2nd major udp & tcp flows (want to save udp and tcp flows separately) in a separate pcap. just to start with using command line ethereal, i used following cmd to save tcp conversation in a separate pcap file but this too doesn't work (rather it opens a gui window with tcp flows but doesn't save in separate file)

ethereal -r sample.pcap -z conv,tcp -w ./sample_tcp.pcap

Please let me know how can i save the major flows. any help will be greatly appreciated. thanks.

asked 17 May '12, 05:08

viks's gravatar image

viks
16447
accept rate: 0%


One Answer:

2

Ethereal is the old name for Wireshark and any executables of that name are obsolete and shouldn't be used.

Wireshark is a GUI protocol analyzer, tshark is the command line version of Wireshark. tshark can output conversations (the *shark name for flows) using the -z conv,tcp option you have listed. The output is a text table with the conversations listed in order of total number of frames.

To save each flow in the original capture file to a separate file of its own will require some scripting to:

  1. Determine the top flow in the original capture using the sort order of your choice by parsing the output of z conv,tcp
  2. Calculate a read filter for that flow (source and dest IP's and ports ??).
  3. Read the original file, applying the filter obtained in 2. and outputting the result to a new file.

answered 17 May '12, 06:08

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%