This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Save tcp stream according to number of packets?

In my current pcap file, I have over 500 TCP streams and UDP streams (according to the Statistics -> Conversations in Wireshark). But many of them only have a few packets being passed between the source and destination.

I want to analyze the streams that have more than, say 100 packets, sent from A to B. I saw a way to save tcp streams to separate pcap files here: https://ask.wireshark.org/questions/4677/easy-way-to-save-tcp-streams

But that command saves all the tcp streams, which I don't need. As a matter of fact, I don't need all the payload either, I only want all the basic information of each stream saved in a separate file. I thought about exporting straight from Wireshark, but that wouldn't group them according to individual flows.

So basically, I want a way to save all the packet information (without the payload) of every flow (that has more than 100 packets) in separate files. Is there anyway to do this?

Thanks for the help!

tcp.stream flow tshark stream wireshark

asked 10 Dec '16, 20:54

mrk
11●1●1●3
accept rate: 0%

One Answer:

You can do this with TraceWrangler, using the latest semi-automated build available here: https://www.tracewrangler.com/download/automated/

Start TraceWrangler
Add capture file(s) to the list
Open Tools -> Conversation Summary
Select TCP Tab, and sort by "Packets" column with descending number of packets
Mark the number of rows you want, e.g. by clicking on the first row, and using Shift + Cursor down
Right click on the selected rows, and select "Extract" -> "to multiple files"
Activate the "Truncate" checkmark box and select "Layer 4"
Press the "Okay" button to run the extraction

You should get a sub directory called "extracted" with one file per flow.

answered 12 Dec '16, 05:36

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

Thank you! This is exactly what I wanted

(13 Dec '16, 21:41) mrk