It does not seem to be that nobody wants this functionality, but I guess most people use the tools available under linux to achieve their goals. One problem with implementing "follow XXX stream" for tshark is how to select the particular stream you're interested in as there are generally many streams in one tracefile.
If you look on ask.wireshark.org, you will see someone else needing this functionality and solving it by outputting XML data from a tracefile and merging the data to get whole HTTP requests and responses.
In other words, if you really need this functionality, you either need to develop it yourself or fill in an enhancement request @ https://bugzilla.wireshark.org. But in the latter case, there is no guarantee that it will be developed as there is a lot of things people would like to add to Wireshark.
Cheers,
Sake
On 28 dec 2010, at 03:39, Average Guy wrote:
> Thanks Abhijit, a few issues with this thread, most important being I am using Windows which rules out tcpflow and any other *nix based tool. Also, I am not searching for any particular string and I need output(printed or saved ) exactly like "Follow TCP Stream->Save As" in Wireshark. I am trying to convince myself that there is an option in tshark since the bevaior is defined in Wireshark... but I am having a hard time believing there is hardly anyone out there in search of similar functionality.
>
> AG
>
> From: Abhijit Bare <abhibare@xxxxxxxxx>
> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
> Sent: Mon, December 27, 2010 5:51:03 PM
> Subject: Re: [Wireshark-users] tshark Question
>
> Wondering if this thread will help you...
>
> http://www.wireshark.org/lists/wireshark-users/201005/msg00221.html
>
> On Mon, Dec 27, 2010 at 1:19 PM, Average Guy <averageguy333@xxxxxxxxx> wrote:
> Better way of putting this, I am looking for the same output as in wireshark:
>
> Follow TCP Stream->Save As(Raw)
>
> -AG
>
> From: Average Guy <averageguy333@xxxxxxxxx>
> To: wireshark-users@xxxxxxxxxxxxx
> Sent: Mon, December 27, 2010 1:27:14 PM
> Subject: [Wireshark-users] tshark Question
>
> Greetings,
>
> I am trying to extract the TCP Payload from reassembled TCP streams in Windows. The data I am interested in can be found in tshark output when -x option is used. When -x is used, the section/filed is called "Reassembled TCP". I can not find an option or field in tshark to print or output this section. In short I am trying to do the same thing tcpflow does in Linux and dump the payload of reassembled TCP streams. There is no particular reason why I am using tshark since it is the only tool(win32) I have found so far but I am open to suggestions. Thank you in advance.
>
> AG
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
