This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Stream output in Pdml format

0

Hi, I use tshark to get tcp stream in ascii format by using tshark -r read.pcap -z follow,tcp,stream,1 -q I want to output the the http request and response in pdml format. (or in xml format) like <conn srcip="0.0.0.0" dstip="0.0.0.0"/><msg proto="http"><field method=""> and so on.

Can any one help me how to access the code of tshark to output the protocol tree while following the tcp stream?

asked 05 Dec '12, 06:42

Leaguer's gravatar image

Leaguer
1111
accept rate: 0%


One Answer:

0

Can any one help me how to access the code of tshark to output the protocol tree while following the tcp stream?

By using the option -z follow,tcp,hex,1 tshark will just walk trough the capture file and it will collect the whole payload data of the given stream (using a TAP function). At the end of the capture file, tshark will output the collected data in a predefined form. So, there is no PDML involved while using the follow stats option. If you add the option -q it will not even show the packet summary for each packet it processes.

So, if you need PDML output of stream 1, I suggest to use this:

tshark -nr input.cap -T pdml -R "tcp.stream == 1"

This will output every packet of that stream #1 in PDML format, including the payload data (field name="tcp.data"). So, you will get the PDML output, and if you need the same output that follow,tcp produces, you can have that as well, by extracting the payload data from the "tcp.data" field (unless, there is packet reordering).

Does that help?

Regards
Kurt

answered 05 Dec '12, 11:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Following the above discussion. It is not helpful in case of chunked http response (e.g., executable in data). From pdml it requires to do all the reordering and reassembly. I was wondering if I can have full protocol request and response (with one data) in pdml format, for one stream. It seems with current configuration it is not possible. Any suggestions for assembling the tcp stream from pdml output? Thanks

(13 Dec '12, 21:33) Leaguer

Well, then I suggest to use another tool, like tcpflow. See my answers to the following questions. The output is not in PDML, but easy to parse.

http://ask.wireshark.org/questions/14811/follow-tcp-stream-with-tshark-still-can-not-in-batch-mode
http://ask.wireshark.org/questions/16690/split-pcap-file-into-smaller-pcap-file-according-to-tcp-flow

(14 Dec '12, 06:48) Kurt Knochner ♦