On Wed, Aug 01, 2007 at 08:37:07AM +0100, Nick Chorley wrote:
>
> Wireshark's "Follow TCP stream" feature is quite useful to me and I'm
> wondering if there is any way to "automate" this process and write stream
> data to files. I am easily able to create filtering rules like "(ip addr eq
> 192.168.2.1 and ip addr eq 192.168.2.5) and (tcp.port eq 80 and tcp.port eq
> 5022)" and what I would like to do is have a list of these and be able to go
> trough each rule in the list, apply it and dump the stream output to a file.
> Is this at all possible with Wireshark or is there any other tool I can use
> to do this?
Wireshark in itself is not capable of doing this. But scripting
around tshark should do the trick. On the different unix-platforms
this can be done quite easily and on my windows PC I have cygwin
installed to make life easier.
You could use something in bash like:
for f in `cat <file-with a filter per line> | tr " " "_"`
do
echo "processing file with filter $filter"
filter=`echo $f | tr "_" " "`
tshark -r <input-file> -w $filter.cap -R "$filter"
done
To make it even fancier, you can create the filters dynamically as well.
The following will look for all SYN packets and makes a filter for
all sessions for which a SYN is seen, it then uses these filters to
split up the capture file to individual tcp-flows:
for f in `tshark -r <input file> -T fields -E separator=_ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -R "tcp.flags.syn==1 && tcp.flags.ack==0" | tr -d "\015"`
do
filter=`echo $f | awk -F_ '{printf("ip.addr==%s and tcp.port==%s and ip.addr==%s and tcp.port==%s\n",$1,$2,$3,$4)}'`
outfile=`echo "$f.cap"`
echo "processing file with filter $filter"
tshark -r <input file> -w $outfile -R "$filter"
done
I hope this helps, Cheers,
Sake