This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark follow TCP stream upon condition

0

I want to dump in a one-liner all TCP traffic of a stream after a specific condition. In other words, I want to do something like:

tshark -i wlan0 -s 0 -z follow,tcp,raw,x

x=tshark -i wlan0 -s 0 -Y 'http.request.full_uri contains "blah-blah" and http.request.method == GET' -n -Tfields -e tcp.stream

How can I do that?

asked 16 Jan '16, 17:41

gregoireg's gravatar image

gregoireg
11113
accept rate: 0%

One Answer:

0

You can do that with scripting, see my answer to a very similar question:

https://ask.wireshark.org/questions/14811/follow-tcp-stream-with-tshark-still-can-not-in-batch-mode

HOWEVER you can do that only for a pcap file, and not on-the-fly while capturing on an interface (wlan0), for obvious reasons.

So, if you need/want on-the-fly TCP stream extraction, you can't use tshark. ngrep is probably the better tool then.

ngrep

http://ngrep.sourceforge.net/

Example:

ngrep -d wlan0 -O /var/tmp/http.pcap '/someurl' 'port 80 and (host 10.0.0.1 or net 1.2.3.0/24)'

Regards
Kurt

answered 19 Jan '16, 07:21

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks for the answer. I'm already doing that:

  1. tcpdump to get pcap
  2. first tshark pass to get the tcp stream id upon my http.request condition
  3. second tshark pass to extract the relevant stream as hex
  4. conversion of the stream from hex to bin

But I would like to do the same on-the-fly. How could I do that? I start to lose confidence that I can do it in a bash command. I can do 1. and 2. at the same time, as well as 3. and 4. but linking 2. and 3. doesn't seem possible. Am I right? Would my only hope be to have an app using libpcap to achieve my goal?

(19 Jan '16, 09:02) gregoireg

But I would like to do the same on-the-fly.

It depends on your definition of on-the-fly.

If that is: Extract TCP streams while tshark is capturing on an interface, then you can't! As you said yourself, you need two passes, which is impossible while tshark is capturing!

If it means only one bash command line, then the solution is in the answer I posted first.

for stream in tshark -r follow_tcp.pcap -R "ip.addr eq 127.0.0.1 and tcp.port eq 5678" -T fields -e tcp.stream | sort -n -u; do echo Stream: $stream; tshark -r follow_tcp.pcap -q -z follow,tcp,raw,$stream; done

(19 Jan '16, 10:21) Kurt Knochner ♦