I want to assemble all tcp sessions from real time and save payload to file. Is there such a c library wireshark 'follow tcp stream'? (I tried using the libnids. However, the TCP sequence order is not correct.) wireshark a->b->c->d->e libnids or tcpflow : a->c->b->d->e ??? asked 31 Jan '15, 22:01  goesang |
2 Answers:
no, there isn't. "Follow TCP Stream" is tightly integrated into the code and not available as a separate library.
Furthermore, if you are trying to do this in real time, Wireshark/tshark is (probably) the wrong tool for you, as it was not designed to work that way. See my answer to a similar question and the links therein.
Regards answered 10 Feb '15, 03:10  Kurt Knochner ♦ |
I can recommend you PcapPlusPlus which is a C++ library that can do exactly that. Please take a look at the TcpReassembly example that does what you ask which is reassemble TCP data from packets being captured from live traffic or from pcap file. answered 23 Jul '16, 12:29  seladb edited 23 Jun '17, 14:51 |
