OK, I found a way to do post-filtering. For your reference, here are
mini how-to...
1. Key insight is
tshark -q -r capture.pcapng -z follow,tcp,raw,n
where 'n' is tcp stream number. Its output is something like
===================================================================
Follow: tcp,raw
Filter: tcp.stream eq 0
Node 0: 10.10.13.40:58447
Node 1: 10.10.12.132:9100
1d7201
00
===================================================================
What I want is data sent to port 9100. It's Node 0 (left-flushed),
here, but sometimes it's Node 1 (indented by \t). The script to
extract data sent to port 9100 is
while IFS=: read header ip port; do
case $header:$port in
=*= | Follow | Filter) PRINTER_NODE= ;;
Node\ 0:9100) PRINTER_NODE=node0 ;;
Node\ 1:9100) PRINTER_NODE=node1 ;;
esac
case $header:$PRINTER_NODE in
[0-9a-f][0-9a-f]*:node1) echo $header ;;
$'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;; # need /bin/bash
esac
done
2. Now, I need tcp stream numbers. This will print them out.
tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T fields -e tcp.stream
If they are sequential 0 to N, then you can do
for n in $(seq 0 N); do
tshark -q -r capture.pcapng -z follow,tcp,raw,$n
done
If they are not sequential, then
for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T
fields -e tcp.stream | sort -nu); do
tshark -q -r capture.pcapng -z follow,tcp,raw,$n
done
Putting them together in a pipe,
for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T
fields -e tcp.stream | sort -nu); do
tshark -q -r capture.pcapng -z follow,tcp,raw,$n
done | while IFS=: read header ip port; do
case $header:$port in
=*= | Follow | Filter) PRINTER_NODE= ;;
Node\ 0:9100) PRINTER_NODE=node0 ;;
Node\ 1:9100) PRINTER_NODE=node1 ;;
esac
case $header:$PRINTER_NODE in
[0-9a-f][0-9a-f]*:node1) echo $header ;;
$'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;; # need /bin/bash
esac
done
4. Converting from hex to binary.
for n in $(tshark -r capture.pcapng -Y 'tcp.dstport==9100' -T
fields -e tcp.stream | sort -nu); do
tshark -q -r capture.pcapng -z follow,tcp,raw,$n
done | while IFS=: read header ip port; do
case $header:$port in
=*= | Follow | Filter) PRINTER_NODE= ;;
Node\ 0:9100) PRINTER_NODE=node0 ;;
Node\ 1:9100) PRINTER_NODE=node1 ;;
esac
case $header:$PRINTER_NODE in
[0-9a-f][0-9a-f]*:node1) echo $header ;;
$'\t'[0-9a-f][0-9a-f]*:node0) echo $header ;; # need /bin/bash
esac
done | xxd -r -p
--
William Park <[email protected]>
On Tue, Sep 26, 2017 at 12:47:21AM -0400, William Park via talk wrote:
> To network experts...
>
> >From Wireshark, I can click "TCP Follow" tab and extract one-way data
> flow from a tcp stream. I can do this manually, one by one. But, I
> have many many streams.
>
> Does anyone know how to extract one-way data stream via script?
>
> Google says
> tshark -q -r capture.pcapng -z follow,tcp,raw,0
> where '0' is the tcp stream number 0. But, it gives me data moving both
> ways. I just want data moving one-way.
> --
> William Park <[email protected]>
---
Talk Mailing List
[email protected]
https://gtalug.org/mailman/listinfo/talk
