Hi Andrej,
Yep:)
To see the different streams:
$ tshark -r test.pcap -q -z conv,tcp
Output:
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | |
->
| | Total |
| Frames Bytes | | Frames
Bytes
| | Frames Bytes |
192.168.1.6:1696 <-> 67.212.143.22:80 1432 2163251 857
4921
0 2289 2212461
192.168.1.6:1723 <-> 67.212.143.22:80 191 250166 125
1222
6 316 262392
192.168.1.6:1714 <-> 93.184.221.133:80 174 245570 115
1278
6 289 258356
192.168.1.6:1688 <-> 204.9.177.195:80 175 255654 98
782
3 273 263477
192.168.1.6:1691 <-> 204.9.177.195:80 170 247284 93
702
5 263 254309
192.168.1.6:1689 <-> 204.9.177.195:80 109 150451 71
918
9 180 159640
To select the first stream and save the output to a new file:
$ tshark -r test.pcap -R "(ip.addr==192.168.1.6 && tcp.port==1696 && ip.addr==67.212.143.22
&& tcp.port==80)" -w test1.pcap
The result:
$ tshark -r test1.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | |
->
| | Total |
| Frames Bytes | | Frames
Bytes
| | Frames Bytes |
192.168.1.6:1696 <-> 67.212.143.22:80 1432 2163251 857
4921
0 2289 2212461
================================================================================
Have a nice day
Joan
On Fri, 4 Sep 2009 06:30:24 +0900 Andrej van der Zee wrote<
>
>Hi,
>
>>
>> Right-click a packet and select Follow TCP Stream.
>>
>> or
>>
>> Statistics -> Conversations -> TCP
>> Right-click a stream and select Apply as Filter -> Selected -> A <-->
B
>>
>> You can save the displayed packets to a new capture file:
>> File -> Save as -> Packet Range: Displayed.
>>
>
>Thank you so much!
>
>One more question. Is this possible to create a new capture file as
>above, but on the command-line only?
>
>Cheers,
>Andrej
