[GTALUG] Wireshark question -- script to extract data in TCP stream?
Alvin Starr
alvin at netvel.net
Tue Sep 26 07:39:05 EDT 2017
On 09/26/2017 07:11 AM, James Knott via talk wrote:
> On 09/26/2017 12:47 AM, William Park via talk wrote:
>> To network experts...
>>
>> From Wireshark, I can click "TCP Follow" tab and extract one-way data
>> flow from a tcp stream. I can do this manually, one by one. But, I
>> have many many streams.
>>
>> Does anyone know how to extract one-way data stream via script?
>>
>> Google says
>> tshark -q -r capture.pcapng -z follow,tcp,raw,0
>> where '0' is the tcp stream number 0. But, it gives me data moving both
>> ways. I just want data moving one-way.
> Doesn't following stream in Wireshark also capture both directions?
> Perhaps, after exporting, you could filter out what you need.
>
you could capture only one way traffic by filtering the input with
something like "dst host 1.2.3.4".
I am not sure how that would impact the tcp stream following though.
--
Alvin Starr || land: (905)513-7688
Netvel Inc. || Cell: (416)806-0133
alvin at netvel.net ||
More information about the talk
mailing list