This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

export data

0

Hi, I need to export the data from my capture. I am aware of follow the stream, save as. It works fine for small captures. If the capture is big this operation will never end. Can this operation be done as the batch? I hope for better performance.. If yes, can you advise the exact command and parameter? thx Bob

asked 13 Dec '16, 13:23

cz50344's gravatar image

cz50344
6113
accept rate: 0%

One Answer:

1

You may want to check out the tshark option -z follow. For example to follow TCP stream 1 and store the raw data you could run tshark -z follow,tcp,raw,1 [-r /path/to/file]. Check out the tshark man page for details.

answered 04 Jan '17, 06:31

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Hi,

it is almost perfect answer. Thanks for it.

Now - Can we extract only one direction? I have tried this, but it does not work. I am not able to filter for only one direction.

tshark -z follow,tcp,raw,((ip.src eq 9.138.236.197 and tcp.srcport eq 39647) and (ip.dst eq 9.138.236.247 and tcp.dstport eq 2501)) -r qsysprt.trccnn.cap -w oout.pcl

Thanks

Bob

(04 Jan '17, 09:21) cz50344

The filter in this case is there to select the stream not to select the direction. I think you'll need to post-process the data using the fact that, as the man page says: The data sent by the second node is prefixed with a tab to differentiate it from the data sent by the first node.

BTW, don't forget to accept the answer (if it answers your question) by clicking on the checkbox next to it--see the FAQ for details.

(04 Jan '17, 10:06) JeffMorriss ♦