Wireshark-users: Re: [Wireshark-users] TCP stream reassembly with timestamps
From: Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx>
Date: Wed, 11 Jan 2012 22:36:50 +0100
I suggest that you use tshark instead in order to display both the
frame's timestamp and TCP payload data.

Try this command:
tshark.exe -r dump.pcap -T fields -e frame.time -e tcp.data

It will, however, output the TCP payload data in hex, i.e. like
"48:54:54:50" instead of "HTTP".

/erik

2012/1/5 Neilen Marais <nmarais@xxxxxxxxx>:
> I'm using wireshark to sniff communications between devices that use
> katcp (https://casper.berkeley.edu/wiki/KATCP). Katcp is a very simple
> text orientated messaging scheme, where messages are
> newline-delimited. Using wireshark's TCP stream reassembly I have 90%
> of my needs covered.
>
> The only other thing I need is a way to timestamp each newline in the
> reassembled stream. Is there a simple way to do this in wireshark?
> Essentially (I guess) is a way to map a part of the reassembled TCP
> payload to the packet that it came from.
>
> Thanks
> Neilen
>
> P.S. Apologies if this message is duplicated -- I tried sending it
> through gmane, but never received the confirmation email.
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



-- 
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec