Wireshark · Wireshark-users: Re: [Wireshark-users] Dumping multiple filters out to files?

[Patrick M Geahan <pmgeahan@xxxxxxxxxxxxxx>]

On Sat, 25 Oct 2008, brian.r.kneebone@xxxxxxxxxx wrote:

> Hi There,
>
> I received some CAP files to analyse.  I'm comfortable with filtering 
> the traffic I want and following streams and dumping out to raw files, 
> but is there any way with a filter that I can have Wireshark to dump all 
> streams out to individual raw files?  In my case, I have a bazillion of 
> these files and doing it manually isn't practical.  Once they're dumped 
> I have another script ready to do some magic on them and analyse for 
> errors.  Much appreciated.

Linux-specific answer ahead.

I recently had to solve the same problem; in my case, I used a
tool called tcpflow(http://www.circlemud.org/~jelson/software/tcpflow/)

I did run into one minor issue with tcpflow, namely that it added
one byte to the beginning of all of the raw files.  This may perhaps
be a particular fluke of the method I've been using to analyze the
files, which started out as packeteer format before I converted
to pcap.  dcfldd did an excellent job of removing that first byte.


-------Patrick M Geahan----pmgeahan@xxxxxxxxxxxxxx---ICQ:3784715------
"You know, this is how the sum total of human knowledge is increased.
Not with idle speculation and meaningless chatter, but with a
medium-sized hammer and some free time." - spam.sc@xxxxxxxxx, a.f.c-a