This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

separate flow base packet

1
1

hello, I have a pcap file and I am going to separate flow base packet ( and save them on file optionally) then separate request and response packet ( and save them on file) I use Linux. Is there any app or method to do this ? thanks

This question is marked "community wiki".

asked 15 Jul '14, 03:08

mhch's gravatar image

mhch
6235
accept rate: 0%


2 Answers:

3

You can use tcpflow on Linux

https://github.com/simsong/tcpflow

or tcpick

http://tcpick.sourceforge.net/

Or another tools from the following list

http://wiki.wireshark.org/Tools

On Windows there is SplitCap

http://www.netresec.com/?page=SplitCap

And finally, you can also use tshark

tshark -nr input.pcap -Y "tcp.stream eq 1" -w stream1.pcap

Regards
Kurt

answered 15 Jul '14, 03:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I used tcpflow and separated flows but yet I have problem by response/request separation Can you help me ? thanks

(16 Jul '14, 03:00) mhch

request/response of which protocol?

(16 Jul '14, 07:51) Kurt Knochner ♦

Thanks Kurt Knochner I have a pcap file that include every protocol like ftp http https and so on. I going to separate every flows and then separate every responses and requests.

(19 Jul '14, 22:03) mhch

0

I wrote a script with bash and used tcpflow in my script this is my script : set -vx read -p "where is your pcap file ? " pcap tcpflow -a -o /tmp/outdir -r $pcap ls /tmp/outdir>/tmp/list while read line do P1=echo $line|cut -d "-" -f 1 P2=echo $line|cut -d "-" -f 2 if [ -d $P1-$P2 ] || [ -d $P2-$P1 ] then continue else mkdir -p $P1-$P2/$P1 mkdir -p $P1-$P2/$P2 fi find $packets -name "$P1-$P2" -exec mv {} $P1-$P2/$P1 \; find $packets -name "$P2-$P1" -exec mv {} $P1-$P2/$P2 \; done</tmp/list set +vx

answered 27 Jul '14, 01:39

mhch's gravatar image

mhch
6235
accept rate: 0%