Hello
I'm desperately trying to extract the full tcp session/flow of packets to files.
The functional thing I want to reach is the same as the following using the gui:
- open pcap file
- foreach stream as $i
-- filter: tcp.stream eq $i
-- Analyze > Follow TCP stream > Save As > enter filename
-- next stream
I have tried techniques like:
- tcpflow (which I even patched for extra features)
- chaosreader
- snort
However tcpflow and chaosreader don't reassemble the packets in the
right order (if they arrived in the wrong order), neither do they
ignore retransmissions.
This results in corrupted data in my flow/output files.
Snort (on my setup) went completely wrong with corrupted output files.
However on other systems it seemed to work.
I'm really convinced that it should be feasible with tshark. However I
haven't found the way to do this. (neither manually or automatically)
I have looked into the -T fields, but with no result.
Can someone give me some advice? Maybe with lua scripts?
Thanks a lot for your expertise and help
Christophe
