Re: [GTALUG] Wireshark question -- script to extract data in TCP stream? (Solved)

27 Sep 2017

      OK, I found a way to do post-filtering.  For your reference, here are
mini how-to...

1.  Key insight is 

	tshark -q -r capture.pcapng -z follow,tcp,raw,n

    where 'n' is tcp stream number.  Its output is something like

	===================================================================
	Follow: tcp,raw
	Filter: tcp.stream eq 0
	Node 0: 10.10.13.40:58447
	Node 1: 10.10.12.132:9100
	1d7201
		00
	===================================================================

    What I want is data sent to port 9100.  It's Node 0 (left-flushed),
    here, but sometimes it's Node 1 (indented by \t).  The script to
    extract data sent to port 9100 is 

	while IFS=: read header ip port; do
	    case $header:$port in
		=*= | Follow | Filter) PRINTER_NODE= ;;
		Node\ 0:9100) PRINTER_NODE=node0 ;;
		Node\ 1:9100) PRINTER_NODE=node1 ;;
	    esac
	    case $header:$PRINTER_NODE in
		[0-9a-f][0-9a-f]*:node1) echo $header ;;
		$'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;;   # need /bin/bash
	    esac
	done

2.  Now, I need tcp stream numbers.  This will print them out.

	tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T fields -e tcp.stream

    If they are sequential 0 to N, then you can do

	for n in $(seq 0 N); do
	    tshark -q -r capture.pcapng -z follow,tcp,raw,$n
	done

    If they are not sequential, then 

	for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T
	fields -e tcp.stream | sort -nu); do
	    tshark -q -r capture.pcapng -z follow,tcp,raw,$n
	done

    Putting them together in a pipe,

	for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T
	fields -e tcp.stream | sort -nu); do
	    tshark -q -r capture.pcapng -z follow,tcp,raw,$n
	done | while IFS=: read header ip port; do
	    case $header:$port in
		=*= | Follow | Filter) PRINTER_NODE= ;;
		Node\ 0:9100) PRINTER_NODE=node0 ;;
		Node\ 1:9100) PRINTER_NODE=node1 ;;
	    esac
	    case $header:$PRINTER_NODE in
		[0-9a-f][0-9a-f]*:node1) echo $header ;;
		$'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;;   # need /bin/bash
	    esac
	done

4.  Converting from hex to binary.

	for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T
	fields -e tcp.stream | sort -nu); do
	    tshark -q -r capture.pcapng -z follow,tcp,raw,$n
	done | while IFS=: read header ip port; do
	    case $header:$port in
		=*= | Follow | Filter) PRINTER_NODE= ;;
		Node\ 0:9100) PRINTER_NODE=node0 ;;
		Node\ 1:9100) PRINTER_NODE=node1 ;;
	    esac
	    case $header:$PRINTER_NODE in
		[0-9a-f][0-9a-f]*:node1) echo $header ;;
		$'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;;   # need /bin/bash
	    esac
	done | xxd -r -p
-- 
William Park <opengeometry@yahoo.ca>

On Tue, Sep 26, 2017 at 12:47:21AM -0400, William Park via talk wrote:
...
To network experts...
...
From Wireshark, I can click "TCP Follow" tab and extract one-way data
flow from a tcp stream.  I can do this manually, one by one.  But, I
have many many streams.
Does anyone know how to extract one-way data stream via script?
Google says
    tshark -q -r capture.pcapng -z follow,tcp,raw,0
where '0' is the tcp stream number 0.  But, it gives me data moving both
ways.  I just want data moving one-way.
-- 
William Park <opengeometry@yahoo.ca>