This is our old Q&A Site. Please post any new questions and answers at


I have a capture file named original.pcap from a wifi capture I did. When I open it in Wireshark and properly configure decryption, I can see two HTTP POST packets. When I double-click any of those packets, I got a window that shows me the packet in three different view modes (Frame, Decrypted CCMP data and Reassembled TCP). So far, so good.

Now, I'm trying to create a new file named post.pcap using tshark with those HTTP POST packets only. I tried the following command (no copy/paste here, please ignore any typos):

tshark -r original.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\" MyPassword:MySSID\"" -Y "http.request.method == "POST" or eapol" -w post.pcap

I used UAT to config decryption in tshark. Also, I extracted eapol packets so tshark can do the decryption.

But when I open post.pcap in Wireshark, I can see the EAPOL packets and just two TCP packets, not the HTTP packets I was expecting. If I double-click one of those TCP packets, I can see it is related to the original HTTP POST, but it shows me only two view modes (Frame and Decrypted CCMP data). It seems that I need more packets in the original file in order to properly show the HTTP packets.

How can I make tshark extract the right combination of packets?


asked 25 Jul '16, 16:19

santonline's gravatar image

accept rate: 0%

edited 25 Jul '16, 16:20

There may be a way to accomplish this in a single step (possibly using MATE or some other method?), but you should be able to at least use a 2-step approach to have tshark extract the packets you need.

First, find the relevant TCP stream(s) (options omitted for brevity and clarity):

tshark -r original.pcap -Y "http.request.method == "POST"" -T fields -e

(For illustrative purposes, let's suppose there are 2 matching streams, numbers 1 and 3.)

Second, modify the filter to include the entire stream and save those packets to your file:

tshark -r original.pcap -Y " eq 1 or eq 3 or eapol" -w post.pcap
permanent link

answered 26 Jul '16, 10:41

cmaynard's gravatar image

cmaynard ♦♦
accept rate: 20%

edited 26 Jul '16, 10:50

Thank you, but I forgot to mention that I want to make a script out of it. Is there a way pass the stream IDs to the filter in the second command automatically?

(27 Jul '16, 12:02) santonline

Below is my attempt at a script that should get you more or less what you want. It can produce either a single .pcapng file with all streams in one file, or it can produce a separate .pcapng file, one for each stream.

# Usage: <infile> <outfileprefix> [unified]

if [ ${#} -lt 2 ] ; then
        echo "Usage: $0 <infile> <outfileprefix> [unified]"
        exit 0


if [ ${#} -gt 2 ] ; then
        if [ "${3}" == "unified" ] ; then

if [ ${unified} -eq 0 ] ; then
        for stream in $(tshark -r ${infile} -o wlan.enable_decryption:TRUE -Y "http.request.method==\"POST\"" -T fields -e | sort -u | tr -d '\r')
                tshark -r ${infile} -o wlan.enable_decryption:TRUE -Y " eq ${stream} or eapol" -w ${outfile_pfx}-${stream}.pcapng
                echo "Wrote ${outfile_pfx}-${stream}.pcapng"
        for stream in $(tshark -r ${infile} -o wlan.enable_decryption:TRUE -Y "http.request.method == \"POST\"" -T fields -e | sort -u | tr -d '\r')
                if [[ -z ${filter}  ]] ; then
                        filter=" eq ${stream}"
                        filter+=" or eq ${stream}"

        tshark -r ${infile} -o wlan.enable_decryption:TRUE -Y "${filter} or eapol" -w ${outfile_pfx}.pcapng
        echo "Wrote ${outfile_pfx}.pcapng"
(27 Jul '16, 13:55) cmaynard ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 25 Jul '16, 16:19

question was seen: 7,306 times

last updated: 27 Jul '16, 14:10

p​o​w​e​r​e​d by O​S​Q​A