Hi Mathew,
You can use TShark statistics to show all tcp streams:
$ tshark -r test.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | |
-> | | Total |
| Frames Bytes | | Frames
Bytes | | Frames Bytes |
192.168.1.2:2056 <-> 209.85.229.103:80 13 11456 12
2419 25 13875
192.168.1.2:2055 <-> 209.85.229.103:80 12 7542 11
2449 23 9991
192.168.1.2:2058 <-> 209.85.229.103:80 12 10276 9
1698 21 11974
192.168.1.2:2057 <-> 209.85.229.103:80 9 6814 9
1589 18 8403
192.168.1.2:2059 <-> 209.85.229.101:80 3 322 5
821 8 1143
================================================================================
Next you can use a display filter to save the stream to a separate capture
file:
$ tshark -r test.pcap -R "ip.addr==192.168.1.2 && tcp.port==2058 && ip.addr==192.168.1.2
&& tcp.port==80" -w stream.pcap
34 15.444707 192.168.1.2 -> 209.85.229.103 TCP 62 0 2058 > 80 [SYN] Seq=0
Win=65535 Len=0 MSS=1460
47 15.460711 209.85.229.103 -> 192.168.1.2 TCP 62 0 80 > 2058 [SYN, ACK]
Seq=0 Ack=1 Win=5720 Len=0 MSS=1460
48 15.460746 192.168.1.2 -> 209.85.229.103 TCP 54 0 2058 > 80 [ACK] Seq=1
Ack=1 Win=65535 Len=0
49 15.497307 192.168.1.2 -> 209.85.229.103 HTTP 601 547 GET <snip>
Hope this helps.
Joan
On Sat, 21 Nov 2009 11:08:57 -0800 Mathew Brown wrote:
>
>Hi,
> I was wondering if anyone can highlight how to tell tshark to "Follow
> TCP Stream" which you can easily do using the Wireshark GUI. Thanks.
>--
> Mathew Brown
> mathewbrown@xxxxxxxxxxx
