On Wed, Aug 01, 2007 at 08:37:07AM +0100, Nick Chorley wrote: > > Wireshark's "Follow TCP stream" feature is quite useful to me and I'm > wondering if there is any way to "automate" this process and write stream > data to files. I am easily able to create filtering rules like "(ip addr eq > 192.168.2.1 and ip addr eq 192.168.2.5) and (tcp.port eq 80 and tcp.port eq > 5022)" and what I would like to do is have a list of these and be able to go > trough each rule in the list, apply it and dump the stream output to a file. > Is this at all possible with Wireshark or is there any other tool I can use > to do this?
Wireshark in itself is not capable of doing this. But scripting around tshark should do the trick. On the different unix-platforms this can be done quite easily and on my windows PC I have cygwin installed to make life easier. You could use something in bash like: for f in `cat <file-with a filter per line> | tr " " "_"` do echo "processing file with filter $filter" filter=`echo $f | tr "_" " "` tshark -r <input-file> -w $filter.cap -R "$filter" done To make it even fancier, you can create the filters dynamically as well. The following will look for all SYN packets and makes a filter for all sessions for which a SYN is seen, it then uses these filters to split up the capture file to individual tcp-flows: for f in `tshark -r <input file> -T fields -E separator=_ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -R "tcp.flags.syn==1 && tcp.flags.ack==0" | tr -d "\015"` do filter=`echo $f | awk -F_ '{printf("ip.addr==%s and tcp.port==%s and ip.addr==%s and tcp.port==%s\n",$1,$2,$3,$4)}'` outfile=`echo "$f.cap"` echo "processing file with filter $filter" tshark -r <input file> -w $outfile -R "$filter" done I hope this helps, Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users