This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark string

0

hi all, How to extract only tcp streams containing a specific string to single pcap file using tshark.

asked 17 Feb '14, 21:22

kishan%20pandey's gravatar image

kishan pandey
221282936
accept rate: 28%

One Answer:

3

tshark on Windows (DOS box):

tshark -nr input.pcap -Y "frame contains ""HTTP/1.0""" -w output.pcap

Tripple quote (""") is intentional!

tshark on Linux:

tshark -nr input.pcap -Y 'frame contains "HTTP/1.0"' -w output.pcap

ngrep: (another open source tool)

ngrep -I input.pcap -i 'HTTP/1.0' -O output.pcap

Regards
Kurt

answered 19 Feb '14, 05:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Feb '14, 06:34

1

tshark on Windows PowerShell:

tshark -nr input.pcap -Y 'frame contains "HTTP/1.0"' -w output.pcap

i.e. the same as Linux.

I think you're missing a closing double quote on the Linux example.

(19 Feb '14, 06:32) grahamb ♦

Yep. Thanks for the hint!! I fixed it in the answer.

(19 Feb '14, 06:33) Kurt Knochner ♦

Thanks a lot kurt and graham,i will test this and revert.

(21 Feb '14, 22:53) kishan pandey