This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract payload from TCP stream

0

I am using Wireshark to capture packets generated from my simulation testbed. I want to extract the payload from the frames and store them as a raw data or csv file to use them in my machine learning algorithm. My capturing is a set of streams so and I want the payload from each of them in a separate file without need to manually choose stream after stream. I tried (tcp.stream eq 4) but it is a laborious take to go one by one !! IS there a quick way?

asked 05 Oct '16, 07:54

mraseeri's gravatar image

mraseeri
6113
accept rate: 0%

edited 05 Oct '16, 11:48

grahamb's gravatar image

grahamb ♦
19.8k330206

I'm not sure I get you right. Are you interested in data from all packets of a single stream and you have a problem that you have to copy them packet by packet, or you have a hundred streams in your capture and you want the data from each of them in a separate file without need to manually choose stream after stream?

(05 Oct '16, 08:30) sindy

Yes, I should've been clear in that. I have a set of streams and I want the data from each of them in a separate file without need to manually choose stream after stream. I'll update my question

(05 Oct '16, 08:43) mraseeri

2 Answers:

0

To extract data from several distinct TCP streams in a capture file, one file per stream, you need to use scripting around tshark.

First, you would run

tshark -r "your/capture/file" -Y usb -z conv,tcp

and count the number of output lines to determine the total number of tcp sessions in the capture and store it to sess_count. The number of sessions is the number of lines minus 6 (the table header and footer). -Y usb is used to prevent any individual packets from being printed.

Next, you would run, in a for (i=0,i < sess_count,i++) cycle:

tshark -r "your/capture/file" -Y usb -z follow,tcp,hex,$i > session_$i.hex

The details can be found at tshark man page at Wireshark wiki.

answered 05 Oct '16, 09:13

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

0

Try using tcpflow, it reads a pcap file and exports each tcp stream to a separate file of the form 192.168.101.102.02345-010.011.012.013.45103 where the contents of the file would be data transmitted from host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103.

answered 05 Oct '16, 11:47

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%