Wireshark-users: [Wireshark-users] follow [tcp|ssl].stream with tshark
Date: Thu, 19 Nov 2015 13:29:43 +0100

I've been trying to get the streams, tcp or ssl, out with tshark,
without success, for long.

The closest that I got to why it seems to not work is after I tried it
with better scripts than I was able to write, so far:

Using Tshark To View Raw Socket Streams

Here's that precious script, in its entirety, just in case:

=========== START PASTE =============


if [ "$#" -lt 1 ]; then
        echo "Usage: tshark_strams.sh <pcap file> [filter rules]"

if [ ! -z "$2" ]; then
        STREAMS=$(tshark -r "$1" -R "$2" -T fields -e tcp.stream | sort -n | uniq)
        STREAMS=$(tshark -r "$1" -T fields -e tcp.stream | sort -n | uniq)

for i in $STREAMS
        INDEX=`printf '%.5d' $i`

        echo "Processing stream $INDEX ..."

        tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i | tail -n +7 | tr -d '=\r\n\t' | xxd -r -p > "$1"_stream-$INDEX.bin
        tshark -r "$1" -qz follow,tcp,ascii,$i > "$1"_stream-$INDEX.txt

=========== END PASTE =============

In short, what I get in wireshark if I right click > Follow tcp|ssl
stream (where window opens with that content) > Save 

is not the same, and can even be confusingly different from what I get
with, picking up the line that does it in the script above:

tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i

Aside that with the Wireshark-2.0.0_rc3 wasn't working right, as per the
net-analyzer/wireshark-2.0.0_rc3 saves different tcp streams
(surely hope wireshark-2.0.0 will work right, but it's not yet in Gentoo

and working with net-analyzer/wireshark-1.12.8-r1, and trying to show it
on concrete samples...

(On concrete samples), what I get with Wireshark, exactly as I explained
in (pls. to cut the chase search for the string

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox

is what you can download, follow the procedure in the above Gentoo
Forums topic, in that post, and get the Javascript file plain out, with
the file dump_150927_1848_g0n.dump from:

but what I can get with this command:

tshark -r "$1" -T fields -e data -qz follow,tcp,raw,$i \
	| tail -n +7 | tr -d '=\r\n\t' | xxd -r -p > "$1"_stream-$INDEX.bin

simplified for one instance, and so I tried these tshark commands (I
only didn't use the "tail -n +7" part) :

tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
	-qz follow,tcp,raw,9 > dump_150927_1848_g0n_s09_TRY.bin
tshark -r dump_150927_1848_g0n.pcap -T fields -e data -\
	qz follow,tcp,raw,9  | tr -d '=\r\n\t' > dump_150927_1848_g0n_s09_TRY_tr.bin
tshark -r dump_150927_1848_g0n.pcap -T fields -e data \
	-qz follow,tcp,raw,9  | tr -d '=\r\n\t'  | xxd -r -p \
	> dump_150927_1848_g0n_s09_TRY_tr_xxd.bin

is never close to getting anything out of that stream...

I uploaded what I got in:


How to learn to do these things?

Thanks for your kind consideration!
(And pls. see following emails for possible ERRATA :-) )
Miroslav Rovis
Zagreb, Croatia

Attachment: signature.asc
Description: PGP signature