This is a static archive of our old Q&A Site. Please post any new questions and answers at

tshark follow tcp flow for a 400M pcap file extremely slow


I have a 400M bytes pcap file which contains one TCP flow. I want to extract the transferred data on this flow. So I follow tcp flow and extract the data to tmp file. The command is as below. Result of this command is correct. But the performance is very bad. It takes 7~8 minutes. Is there any method to improve the performance?

tshark -n -r "query29_reconstructFileFTP32705_1.pcap" -q -z "follow,tcp,raw,," > fm_tmp_txt

asked 27 Jul '17, 06:58

hdl2041827's gravatar image

accept rate: 0%