Wireshark question -- script to extract data in TCP stream?
To network experts...
From Wireshark, I can click "TCP Follow" tab and extract one-way data flow from a tcp stream. I can do this manually, one by one. But, I have many many streams.
Does anyone know how to extract one-way data stream via script? Google says tshark -q -r capture.pcapng -z follow,tcp,raw,0 where '0' is the tcp stream number 0. But, it gives me data moving both ways. I just want data moving one-way. -- William Park <opengeometry@yahoo.ca> .
On 09/26/2017 12:47 AM, William Park via talk wrote:
To network experts...
From Wireshark, I can click "TCP Follow" tab and extract one-way data flow from a tcp stream. I can do this manually, one by one. But, I have many many streams.
Does anyone know how to extract one-way data stream via script?
Google says tshark -q -r capture.pcapng -z follow,tcp,raw,0 where '0' is the tcp stream number 0. But, it gives me data moving both ways. I just want data moving one-way.
Doesn't following stream in Wireshark also capture both directions? Perhaps, after exporting, you could filter out what you need.
On 09/26/2017 07:11 AM, James Knott via talk wrote:
On 09/26/2017 12:47 AM, William Park via talk wrote:
To network experts...
From Wireshark, I can click "TCP Follow" tab and extract one-way data flow from a tcp stream. I can do this manually, one by one. But, I have many many streams.
Does anyone know how to extract one-way data stream via script?
Google says tshark -q -r capture.pcapng -z follow,tcp,raw,0 where '0' is the tcp stream number 0. But, it gives me data moving both ways. I just want data moving one-way. Doesn't following stream in Wireshark also capture both directions? Perhaps, after exporting, you could filter out what you need.
you could capture only one way traffic by filtering the input with something like "dst host 1.2.3.4". I am not sure how that would impact the tcp stream following though. -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On 09/26/2017 07:39 AM, Alvin Starr via talk wrote:
you could capture only one way traffic by filtering the input with something like "dst host 1.2.3.4". I am not sure how that would impact the tcp stream following though.
I would expect the stream would include both directions. If you're trying to resolve a problem, you need to see both sides.
On 09/26/2017 08:36 AM, James Knott via talk wrote:
you could capture only one way traffic by filtering the input with something like "dst host 1.2.3.4". I am not sure how that would impact the tcp stream following though. I would expect the stream would include both directions. If you're
On 09/26/2017 07:39 AM, Alvin Starr via talk wrote: trying to resolve a problem, you need to see both sides.
I would agree but the original post requested the data in just 1 direction. -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Tue, Sep 26, 2017 at 07:11:48AM -0400, James Knott via talk wrote:
On 09/26/2017 12:47 AM, William Park via talk wrote:
To network experts...
From Wireshark, I can click "TCP Follow" tab and extract one-way data flow from a tcp stream. I can do this manually, one by one. But, I have many many streams.
Does anyone know how to extract one-way data stream via script?
Google says tshark -q -r capture.pcapng -z follow,tcp,raw,0 where '0' is the tcp stream number 0. But, it gives me data moving both ways. I just want data moving one-way.
Doesn't following stream in Wireshark also capture both directions? Perhaps, after exporting, you could filter out what you need.
How to filter it using Wireshark/Tshark/etc? :-) I can filter after-the-fact, but it's messy. -- William Park <opengeometry@yahoo.ca>
On 09/26/2017 09:55 AM, William Park via talk wrote:
Doesn't following stream in Wireshark also capture both directions?
Perhaps, after exporting, you could filter out what you need. How to filter it using Wireshark/Tshark/etc? :-) I can filter after-the-fact, but it's messy.
I'm not sure you can filter direction on a stream. I'd think a stream would include both sides by definition.
OK, I found a way to do post-filtering. For your reference, here are mini how-to... 1. Key insight is tshark -q -r capture.pcapng -z follow,tcp,raw,n where 'n' is tcp stream number. Its output is something like =================================================================== Follow: tcp,raw Filter: tcp.stream eq 0 Node 0: 10.10.13.40:58447 Node 1: 10.10.12.132:9100 1d7201 00 =================================================================== What I want is data sent to port 9100. It's Node 0 (left-flushed), here, but sometimes it's Node 1 (indented by \t). The script to extract data sent to port 9100 is while IFS=: read header ip port; do case $header:$port in =*= | Follow | Filter) PRINTER_NODE= ;; Node\ 0:9100) PRINTER_NODE=node0 ;; Node\ 1:9100) PRINTER_NODE=node1 ;; esac case $header:$PRINTER_NODE in [0-9a-f][0-9a-f]*:node1) echo $header ;; $'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;; # need /bin/bash esac done 2. Now, I need tcp stream numbers. This will print them out. tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T fields -e tcp.stream If they are sequential 0 to N, then you can do for n in $(seq 0 N); do tshark -q -r capture.pcapng -z follow,tcp,raw,$n done If they are not sequential, then for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T fields -e tcp.stream | sort -nu); do tshark -q -r capture.pcapng -z follow,tcp,raw,$n done Putting them together in a pipe, for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T fields -e tcp.stream | sort -nu); do tshark -q -r capture.pcapng -z follow,tcp,raw,$n done | while IFS=: read header ip port; do case $header:$port in =*= | Follow | Filter) PRINTER_NODE= ;; Node\ 0:9100) PRINTER_NODE=node0 ;; Node\ 1:9100) PRINTER_NODE=node1 ;; esac case $header:$PRINTER_NODE in [0-9a-f][0-9a-f]*:node1) echo $header ;; $'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;; # need /bin/bash esac done 4. Converting from hex to binary. for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T fields -e tcp.stream | sort -nu); do tshark -q -r capture.pcapng -z follow,tcp,raw,$n done | while IFS=: read header ip port; do case $header:$port in =*= | Follow | Filter) PRINTER_NODE= ;; Node\ 0:9100) PRINTER_NODE=node0 ;; Node\ 1:9100) PRINTER_NODE=node1 ;; esac case $header:$PRINTER_NODE in [0-9a-f][0-9a-f]*:node1) echo $header ;; $'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;; # need /bin/bash esac done | xxd -r -p -- William Park <opengeometry@yahoo.ca> On Tue, Sep 26, 2017 at 12:47:21AM -0400, William Park via talk wrote:
To network experts...
From Wireshark, I can click "TCP Follow" tab and extract one-way data flow from a tcp stream. I can do this manually, one by one. But, I have many many streams.
Does anyone know how to extract one-way data stream via script?
Google says tshark -q -r capture.pcapng -z follow,tcp,raw,0 where '0' is the tcp stream number 0. But, it gives me data moving both ways. I just want data moving one-way. -- William Park <opengeometry@yahoo.ca>
participants (3)
-
Alvin Starr -
James Knott -
William Park