Assume Windows, if I used tshark -r file.pcap -R "tcp.stream eq xxx" -x according to the documentation I get "hex and ASCII dump of the packet data after printing the summary or details". Looking at the output, I am only interested in Reassembled TCP section of -x output. Is there a field in wireshark or a command to output only that section? Thanks for your help! asked 22 Dec '10, 13:58  averageguy |
2 Answers:
There is no way? answered 22 Dec '10, 21:13 averageguy |
Can this be done with rawshark? answered 27 Dec '10, 08:26 averageguy |
A better way of asking this question would be how do I get the data of a reconstructed tcp stream.