Hi all
I have a rather large capture file (close to 300MB) containing 8 TCP
sessions (or 8 files containing 35-40MB each).
Essentially, all streams contain the same data, but since they are
flowing across different kind of networks to different clients, each has
it's own characteristics, different TCP window sizes, probably different
congestion avoidance algorithms of the clients and of course network
RTTs from 5ms to 110ms.
I'd like to find the timestamp of the packets that contain a certain
string (hex or ASCII) in the payload. Sometimes the string will be at
the beginning, sometimes anywhere in the payload.
So I'd like tshark to search for a certain string and print out one line
per occurrence of it - along with the timestamp. I'd like to process the
timestamps later on to see how much the differ.
OR
==
How can I make Tshark print out the data payload as ASCII on a *single*
line instead of the hex/ascii array? Of course, this is going to lead to
lines that are 1600 characters long, but I don't care about that.
Then I could simply grep for the ASCII string I'm looking for, and with
a bit of scripting and a file that holds one search string per line, I
should be able to let it run automatically (I am aware that this is
going to take ages...)
I've tried this:
tshark -r file.pcap -T fields -e data
This yields to output in hex, which I could cope with, but it lacks the
timestamp.
"-T text" gives timestamps and a bit more, but no hex/ascii data from
the payload. If i add "-V", I can see the ASCII string I'm looking for -
but in the multiline hex array output format.
TIA & best regards
Marc
