This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to automate output tcp data which the format is just like Follow TCP Stream?

0
1

when i click the Follow TCP Stream,wireshark can output entire conversation stream content,i want to how to make wireshark automate output every entire conversation stream content to a file. Is there anyone can give me some advice?

asked 15 Apr '14, 22:23

fred's gravatar image

fred
267813
accept rate: 0%

edited 15 Apr '14, 22:30

One Answer:

1

You can use tshark

tshark -nr input.pcap -z "follow,tcp,ascii,1"

This will print the payload of TCP stream 1 in ASCII. See the tshark man page for details.

Or one of the tools listed here

https://isc.sans.edu/diary/Tools+for+extracting+files+from+pcaps/6961
http://wiki.wireshark.org/Tools

Regards
Kurt

answered 16 Apr '14, 04:40

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

good job. And I have another question that how to know how many TCP streams in a pcap file?

(16 Apr '14, 05:42) fred
1

GUI:

Statistics -> Conversations

then look at the TCP tab. The number after the colon is the number of TCP conversations/streams.

CLI:

tshark -nr input.pcap -q -z conv,tcp

Then count the lines

(19 Apr '14, 14:48) Kurt Knochner ♦

thanks, it's what i need

(21 Apr '14, 20:38) fred