Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Automating TCP stream extraction

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 1 Aug 2007 11:05:34 +0200
On Wed, Aug 01, 2007 at 08:37:07AM +0100, Nick Chorley wrote:
> Wireshark's "Follow TCP stream" feature is quite useful to me and I'm
> wondering if there is any way to "automate" this process and write stream
> data to files. I am easily able to create filtering rules like "(ip addr eq
> and ip addr eq and (tcp.port eq 80 and tcp.port eq
> 5022)" and what I would like to do is have a list of these and be able to go
> trough each rule in the list, apply it and dump the stream output to a file.
> Is this at all possible with Wireshark or is there any other tool I can use
> to do this?

Wireshark in itself is not capable of doing this. But scripting
around tshark should do the trick. On the different unix-platforms
this can be done quite easily and on my windows PC I have cygwin
installed to make life easier.

You could use something in bash like:

for f in `cat <file-with a filter per line> | tr " " "_"`
   echo "processing file with filter $filter"
   filter=`echo $f | tr "_" " "`
   tshark -r <input-file> -w $filter.cap -R "$filter"

To make it even fancier, you can create the filters dynamically as well.
The following will look for all SYN packets and makes a filter for
all sessions for which a SYN is seen, it then uses these filters to
split up the capture file to individual tcp-flows:

for f in `tshark -r <input file> -T fields -E separator=_ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -R "tcp.flags.syn==1 && tcp.flags.ack==0" | tr -d "\015"`              
   filter=`echo $f | awk -F_ '{printf("ip.addr==%s and tcp.port==%s and ip.addr==%s and tcp.port==%s\n",$1,$2,$3,$4)}'`
   outfile=`echo "$f.cap"`
   echo "processing file with filter $filter"
   tshark -r <input file> -w $outfile -R "$filter"

I hope this helps, Cheers,