How to follow tcp streams continuously along the capture with tshark / wireshark?

Question

I display the TCP stream of an already finished capture written in out.pcap with

END=$(tshark -r out.pcap -T fields -e tcp.stream | sort -n | tail -1); 
for ((i=0;i<=END;i++));
do 
echo $i; tshark -r out.pcap -qz follow,tcp,ascii,$i 
done

How can I display newly terminated TCP streams in this fashion along the packet capture?

You are looking for a UNIX shell solution? – phk Dec 25 '16 at 09:12 — phk, Dec 25 '16 at 09:12

user123456 · Accepted Answer · 2016-12-27T14:03:58.057

1

A suggest to use tcpflow instead.

If tshark should really be used, an ugly solution would be

REFF=/tmp/.streams
echo "" > $REFF
while true 
do
tshark -r $@ -T fields -e tcp.stream 2> /dev/null | sort -nu | sed '/^$/d' | while read i
do
    if [ -z "$(cat $REFF | grep "^$i$" )" ]
    then
          tshark -r $@ -qz follow,tcp,ascii,$i  | tee ${@}-stream-$i.txt
          echo $i >> $REFF
    fi
done
done

edited Dec 27 '16 at 14:03

answered Dec 27 '16 at 13:32

user123456

5,018

Could you give an example of the tcpflow command usage? (I have not used it before.) – jacobq Aug 14 '17 at 13:44
I think I figured it out...to print text of TCP connections on port 9000 use sudo tcpflow -i any -c port 9000 – jacobq Aug 14 '17 at 13:47

How to follow tcp streams continuously along the capture with tshark / wireshark?

1 Answers1

Linked