Get tcpstream - wireshark vs tshark
I am trying to get TCPStream from a 24M size capture. I can get it using wireshark, but I need a command without an interface to get this.
I started by trying TShark to capture less than 1M and I was able to get tcpstream equal to wireshark in the same capture. In the capture with 24M, I cannot. TCPStream in wireshark is large and doesn't match what is given in TShark.
I do not understand what the problem is.
I am using the following command: tshark -r cap.pcapng -T fields -e data
Any idea what the problem might be? Or what is it connected with?
I am also available for other solutions that might solve my problem.
Thank.
source to share
Perhaps not the most efficient way to do it, but here it is.
Start by braking the trace file across multiple files you can use editcap
that is installed with Wireshark. Set the required parameters with -c
. There might be a better way to this, please investigate (I didn't)
Now you have a few files that are not very pleasant to work with, so you need to create a batch file that calls tshark for each of those files. Open them, apply options and write to a new file (again I told you it was ineffective)
-r <infile> -R "here goes you parameters" -w <outfile>
However, we have many new files, but we'd rather combine them into one file for ease of use and to achieve a much smaller size than we start out with. for this I suggestmergecap -a
mergecap -a -w <outfile> <infile1> <infile2>......<infilen>
Hope it helps
source to share