Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to "Follow TCP Stream" Using tshark

From: Richard Bejtlich <taosecurity@xxxxxxxxx>
Date: Sat, 21 Nov 2009 19:56:44 -0500
On Sat, Nov 21, 2009 at 2:08 PM, Mathew Brown <mathewbrown@xxxxxxxxxxx> wrote:
> Hi,
>  I was wondering if anyone can highlight how to tell tshark to "Follow
>  TCP Stream" which you can easily do using the Wireshark GUI.  Thanks.
> --
>  Mathew Brown
>  mathewbrown@xxxxxxxxxxx

Hi Mathew,

I don't know if Tshark can rebuild a TCP stream such that the result
is a representation of the TCP payload, but Tcpflow can.

http://www.circlemud.org/~jelson/software/tcpflow/

Sincerely,

Richard