Hey guys, I hope what I'm trying to achieve isn't too complicated: Let's say I have a pretty small pcap, I can go packet by packet and click "Follow TCP\UDP stream" and save what I get as C Arrays file, and if something is saved already - not to save it again (let's say all the files are in the same folder) Now I want to automate it with tshark. Every file need to have a number based on the first packet that created this stream. Assuming I got a pcap with 2 streams, the first is a UDP DNS request to google servers and the second is just some http browsing. I want to get 2 files in my folder: 0_UDP and 1_TCP. Each file will contain what it would have contained if I clicked "Follow tcp\udp stream" in the gui and saved as C Arrays. asked 24 Feb '16, 07:59 danielcp |
One Answer:
tshark has the "-z follow" option to allow automation of following TCP and UDP (and SSL) streams but this option does not have the ability to save the results as C arrays. It does have a "raw" (hexadecimal) output which wouldn't be hard to manipulate into C arrays. You could also raise an enhancement request to ask that C arrays be added as an output option. (Using that option would also require you to call tshark multiple times, once for each stream you want to save.) Other tools such as tcpflow might also work for you. answered 25 Feb '16, 15:14 JeffMorriss ♦ |