First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Comparing TShark & Wireshark "Follow Stream"

When I compare the output of this command,

 & 'C:\Program Files\Wireshark\tshark.exe' -nr 'D:\pcap\test\output_0932.pcap' -z follow,tcp,raw,0 -Y tcp -w tshark.dat | Out-Null

which I believe should be the equivalent of "follow TCP stream" in the Wireshark GUI I get different outputs.

The TShark output is more or less the same, but there is more (a TShark header at the top is one example).

Is there anyway to get exactly the same output?

The GUI gives me what I want, but I would like to script the process using TShark.

Thanks!

johnorford's avatar
1
johnorford
asked 2020-01-13 08:35:24 +0000, updated 2020-01-13 08:36:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Do you mean the header like:

===================================================================
Follow: tcp,raw
Filter: tcp.stream eq 0
Node 0: 127.0.0.1:33412
Node 1: 127.0.0.1:8080

If so, no there is no way (currently) to remove that with the -z options.

grahamb's avatar grahamb (2020-01-13 11:39:02 +0000) edit
more
  • delete

Thanks for the replies guys. I will work through them - for the time being ->

To be clear, the whole target is to reproduce two lines of Bash with something that runs for users on Windows (grr).

Here is the relevant part of what I am trying to reproduce here:

tcptrace -e output_0932.pcap

which extracts the TCP payloads - this is also what is done with the GUI.

I would like to not have users install Cygwin etc. if possible - that's why I am putting myself through this pain..

johnorford's avatar johnorford (2020-01-13 19:54:31 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The tshark.dat file is actually a pcapng file containing the matching packets of the given tcp filter; it's not the same as the follow TCP stream output of Wireshark at all, which only contains the relevant stream's TCP payload data.

Maybe this is more what you're looking for?

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp -w tshark.dat

... and if you want to eliminate the extraneous information at the top, then you can use tail -n +x to do that, where x is the line you want to start with, thus eliminating the x-1 previous lines. For example:

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | tail -n +9 > tshark.dat

... and since you're on Windows, if you don't have Cygwin installed, and thus you don't have tail at your disposal, then you should be able to accomplish the same thing (more or less) with PowerShell commands. For example:

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | powershell -noninteractive -noprofile -c "$input | Select-Object -Skip 8" > tshark.dat

... and if you want to remove the blank lines:

C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | powershell -noninteractive -noprofile -c "$input | Select-Object -Skip 8 | ? {$_.trim() -ne \"\" }" > tshark.dat
cmaynard's avatar
11.1k
cmaynard
answered 2020-01-13 17:50:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The examples seem to be a bit long-winded if the user is already running in a PowerShell session (as the Out-Null) would indicate. In this case use:

& C:\Program Files\Wireshark\tshark.exe -q -nr D:\pcap\test\output_0932.pcap -z follow,tcp,ascii,0 -Y tcp | Select-Object -Skip 8 | Out-File -Encoding utf8 tshark.dat

Note the use of Out-File to control the encoding of the output file. The default PowerShell output, when using redirection or Out-File, is (currently) UTF16LE which may not be want you want to subsequently use.

Another way to strip blank lines is to pipe through Which-Object { $_ }

I also found that I only needed to skip 6 lines to remove the header info and the output still retains the trailer (====...) and all but the first line if data is prefixed by a tab.

grahamb's avatar grahamb (2020-01-13 18:18:17 +0000) edit
more
  • delete

My examples were run from a cmd prompt, and I don't doubt they weren't optimal, especially if already running from a PowerShell session. I'm definitely not a PowerShell expert, so feel free to use @grahamb's modified examples or whatever else works best.

The main point of my answer was to clarify the -w output, illustrate that ascii and not raw was what was probably desired, and to show that it's possible to skip past any preceding headers and only focus on the TCP payload.

cmaynard's avatar cmaynard (2020-01-13 18:27:50 +0000) edit
more
  • delete

It looks like raw matches the output from tcptrace -e which works well on Bash..

As I said, the GUI nails it, unfortunately tricky with tshark side of things..

johnorford's avatar johnorford (2020-01-13 20:05:45 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer