This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

reconstruct/create a stream file from pcap

0

i have a pcap and filter it to a TCP stream index and source ip. i want to build a file from the packets (reconstruct) streamed data.

is there away to do this with Wireshark? or do i need to create my own method for this?

asked 19 Mar '12, 15:38

auldh's gravatar image

auldh
1111
accept rate: 0%

One Answer:

1

That depends on what you're trying to do.

If you want all the data from one or both sides of a TCP connection, try using Analyze->Follow TCP Stream and saving from that.

If you want an object transferred with, for example, HTTP or the SMB file access protocol, try File->Export->Objects->{HTTP,SMB} (it will offer a list of objects in the capture and let you save one or all of them).

If neither of those are what you want, you might want to look at tcpflow.

answered 19 Mar '12, 17:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

thank you i will do. i only want onside of the stream the receiving side.

(30 Mar '12, 08:39) auldh

the protocol is TCP. i want to extract the TCP segment data of the specified bytes on the receive side/source.

i want to reconstruct that it is not a VOIP so i can't use the telephony feature.

(31 Mar '12, 09:36) auldh

Then it sounds as if you want the first of my suggestins - Analyze->Follow TCP Stream, which, as I remember, will let you save only one side of the conversation if you want that.

(31 Mar '12, 19:17) Guy Harris ♦♦