This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

follow tcp stream in wireshark

0

I have a trace file with 2000 streams. I open this trace with wireshark in windows. for my work I need to create separate txt files that each file contains a tcp stream. but in wireshark I can see one stream each time by tcp follow and I should save the stream files one by one! how can I have these streams in separate files in easy way?! many thanks.

asked 25 Aug '13, 04:26

Soroor's gravatar image

Soroor
21448
accept rate: 0%

2 Answers:

1

You might want to try tools other than Wireshark, e.g. TCPFlow.

answered 25 Aug '13, 04:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

You can use some scripting around tshark to do that:

for stream in $(tshark -nlr <file> -R tcp.flags.syn==1 -T fields -e tcp.stream | sort -n | uniq)
do
  echo "Processing stream $stream"
  tshark -nlr <file> -qz "follow,tcp,ascii,$stream > stream-$stream.log
done

answered 25 Aug '13, 06:27

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

first many thanks for your answer. actually I am new in this field. I know this code is useful but I have not any idea how can I use it in tshark! I whould be many thankful if you could help me more about running tshark and use of this code.

(26 Aug '13, 02:43) Soroor