Easy way to save tcp streams?

Question

If I have a trace with say 20 tcp streams, is there an easy way to save out each tcp stream to its own separate file, whether it be using tshark, editcap, gui, etc.? Or is the only way to do this to use a display filter for each stream and save as one by one?

Thanks!

Answer 1

5

If you want to split the file into separate files in pcap format, each containing one tcp stream, you can do that with a little scripting around tshark. If you are only interested in the tcp payload of each stream, you'd have to use a tool like "tcpflow".

Assuming the first, you can do this by the following (just an example):

for stream in `tshark -r <pcapfile> -T fields -e tcp.stream | sort -n | uniq`
do
    echo $stream
    tshark -r <pcapfile> -w stream-$stream.cap -R "tcp.stream==$stream"
done

(You can also just do a for loop to the highest tcp.stream number, but there may be gaps in the tcp.stream numbering as it reuses the conversation index and there may be other conversations than tcp)

permanent link

answered 22 Jun '11, 15:46

SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%

edited 22 Jun '11, 15:47

Thanks Sake, this helps!

(22 Jun '11, 19:54) seyerekim

FYI, on Windows using cygwin, you may need to pipe the output of uniq to sed to remove the extraneous carriage return; otherwise you may see an invalid address:port pair error message, i.e.:

for stream in `tshark -r <pcapfile> -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//'`

See also this question and my answer there.

(31 Aug '13, 18:05) cmaynard ♦♦

Answer 2

1	This is right meeting your requirement. https://github.com/caesar0301/pkt2flow permanent link answered 25 Dec '12, 03:59 Jamin 17●1 accept rate: 0%

Easy way to save tcp streams?

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions