Comparing TShark & Wireshark "Follow Stream"
When I compare the output of this command,
& 'C:\Program Files\Wireshark\tshark.exe' -nr 'D:\pcap\test\output_0932.pcap' -z follow,tcp,raw,0 -Y tcp -w tshark.dat | Out-Null
which I believe should be the equivalent of "follow TCP stream" in the Wireshark GUI I get different outputs.
The TShark output is more or less the same, but there is more (a TShark header at the top is one example).
Is there anyway to get exactly the same output?
The GUI gives me what I want, but I would like to script the process using TShark.
Thanks!
Comments
Do you mean the header like:
If so, no there is no way (currently) to remove that with the
-z
options.Thanks for the replies guys. I will work through them - for the time being ->
To be clear, the whole target is to reproduce two lines of Bash with something that runs for users on Windows (grr).
Here is the relevant part of what I am trying to reproduce here:
which extracts the TCP payloads - this is also what is done with the GUI.
I would like to not have users install Cygwin etc. if possible - that's why I am putting myself through this pain..