This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Easy way to save tcp streams?

2
1

If I have a trace with say 20 tcp streams, is there an easy way to save out each tcp stream to its own separate file, whether it be using tshark, editcap, gui, etc.? Or is the only way to do this to use a display filter for each stream and save as one by one?

Thanks!

asked 22 Jun '11, 13:35

seyerekim's gravatar image

seyerekim
36347
accept rate: 0%

2 Answers:

5

If you want to split the file into separate files in pcap format, each containing one tcp stream, you can do that with a little scripting around tshark. If you are only interested in the tcp payload of each stream, you'd have to use a tool like "tcpflow".

Assuming the first, you can do this by the following (just an example):

for stream in `tshark -r <pcapfile> -T fields -e tcp.stream | sort -n | uniq`
do
    echo $stream
    tshark -r <pcapfile> -w stream-$stream.cap -R "tcp.stream==$stream"
done

(You can also just do a for loop to the highest tcp.stream number, but there may be gaps in the tcp.stream numbering as it reuses the conversation index and there may be other conversations than tcp)

answered 22 Jun '11, 15:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 22 Jun '11, 15:47

Thanks Sake, this helps!

(22 Jun '11, 19:54) seyerekim

FYI, on Windows using cygwin, you may need to pipe the output of uniq to sed to remove the extraneous carriage return; otherwise you may see an invalid address:port pair error message, i.e.:

for stream in `tshark -r <pcapfile> -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//'`

See also this question and my answer there.

(31 Aug '13, 18:05) cmaynard ♦♦

1

This is right meeting your requirement. https://github.com/caesar0301/pkt2flow

answered 25 Dec '12, 03:59

Jamin's gravatar image

Jamin
171
accept rate: 0%