This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark: What is the command for getting only “Reassembled TCP” in -x output

0

Assume Windows, if I used

tshark -r file.pcap -R "tcp.stream eq xxx" -x

according to the documentation I get "hex and ASCII dump of the packet data after printing the summary or details". Looking at the output, I am only interested in Reassembled TCP section of -x output. Is there a field in wireshark or a command to output only that section? Thanks for your help!

asked 22 Dec '10, 13:58

averageguy's gravatar image

averageguy
16223
accept rate: 0%

A better way of asking this question would be how do I get the data of a reconstructed tcp stream.

(22 Dec '10, 14:35) averageguy

2 Answers:

0

There is no way?

answered 22 Dec '10, 21:13

averageguy's gravatar image

averageguy
16223
accept rate: 0%

0

Can this be done with rawshark?

answered 27 Dec '10, 08:26

averageguy's gravatar image

averageguy
16223
accept rate: 0%