If I have a trace with say 20 tcp streams, is there an easy way to save out each tcp stream to its own separate file, whether it be using tshark, editcap, gui, etc.? Or is the only way to do this to use a display filter for each stream and save as one by one?
asked 22 Jun '11, 13:35
If you want to split the file into separate files in pcap format, each containing one tcp stream, you can do that with a little scripting around tshark. If you are only interested in the tcp payload of each stream, you'd have to use a tool like "tcpflow".
Assuming the first, you can do this by the following (just an example):
(You can also just do a for loop to the highest tcp.stream number, but there may be gaps in the tcp.stream numbering as it reuses the conversation index and there may be other conversations than tcp)
answered 22 Jun '11, 15:46
edited 22 Jun '11, 15:47
This is right meeting your requirement. https://github.com/caesar0301/pkt2flow
answered 25 Dec '12, 03:59