Wireshark

  • Riverbed Technology
  • WinPcap
SHARKFEST '13 - Wireshark Developer and User Conference - June 16-19, 2013 - UC Berkeley
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] tshark commands

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: David Milbourne <dmilbo@xxxxxxxxx>
Date: Wed, 19 May 2010 12:49:20 -0400

Hello,

I'm trying to figure out how to use Wireshark's "Follow TCP Stream" feature in tshark.  For example, I have a PCAP file and I'd like to extract out all of the .ntf files.  I know if I type:

tshark -r server.pcap -R "data contains NTF0"

This will show me a list of the streams in the PCAP file that contain the above string.  However, how can I re-create these files (similar to "Follow TCP Stream" and "save as" in Wireshark)?

Thank-you,
DM
  • Follow-Ups:
    • Re: [Wireshark-users] tshark commands
      • From: Overkill
    • Re: [Wireshark-users] tshark commands
      • From: Abhik Sarkar
  • Prev by Date: Re: [Wireshark-users] FTP Timeout Troubleshooting
  • Next by Date: [Wireshark-users] tshark or dumpcap ring buffer limitations
  • Previous by thread: [Wireshark-users] Help comparing two captures
  • Next by thread: Re: [Wireshark-users] tshark commands
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation