This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey guys, I hope what I'm trying to achieve isn't too complicated: Let's say I have a pretty small pcap, I can go packet by packet and click "Follow TCP\UDP stream" and save what I get as C Arrays file, and if something is saved already - not to save it again (let's say all the files are in the same folder) Now I want to automate it with tshark. Every file need to have a number based on the first packet that created this stream. Assuming I got a pcap with 2 streams, the first is a UDP DNS request to google servers and the second is just some http browsing. I want to get 2 files in my folder: 0_UDP and 1_TCP. Each file will contain what it would have contained if I clicked "Follow tcp\udp stream" in the gui and saved as C Arrays.

asked 24 Feb '16, 07:59

danielcp's gravatar image

danielcp
6112
accept rate: 0%


tshark has the "-z follow" option to allow automation of following TCP and UDP (and SSL) streams but this option does not have the ability to save the results as C arrays. It does have a "raw" (hexadecimal) output which wouldn't be hard to manipulate into C arrays. You could also raise an enhancement request to ask that C arrays be added as an output option.

(Using that option would also require you to call tshark multiple times, once for each stream you want to save.)

Other tools such as tcpflow might also work for you.

permanent link

answered 25 Feb '16, 15:14

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×752
×82
×24
×12

question asked: 24 Feb '16, 07:59

question was seen: 2,661 times

last updated: 25 Feb '16, 15:14

p​o​w​e​r​e​d by O​S​Q​A