[GTALUG] Wireshark question -- script to extract data in TCP stream?

James Knott james.knott at rogers.com
Tue Sep 26 07:11:48 EDT 2017

On 09/26/2017 12:47 AM, William Park via talk wrote:
> To network experts...
> From Wireshark, I can click "TCP Follow" tab and extract one-way data
> flow from a tcp stream.  I can do this manually, one by one.  But, I
> have many many streams.
> Does anyone know how to extract one-way data stream via script?
> Google says
>     tshark -q -r capture.pcapng -z follow,tcp,raw,0
> where '0' is the tcp stream number 0.  But, it gives me data moving both
> ways.  I just want data moving one-way.

Doesn't following stream in Wireshark also capture both directions? 
Perhaps, after exporting, you could filter out what you need.

