Hi all I have a rather large capture file (close to 300MB) containing 8 TCP sessions (or 8 files containing 35-40MB each).
Essentially, all streams contain the same data, but since they are flowing across different kind of networks to different clients, each has it's own characteristics, different TCP window sizes, probably different congestion avoidance algorithms of the clients and of course network RTTs from 5ms to 110ms. I'd like to find the timestamp of the packets that contain a certain string (hex or ASCII) in the payload. Sometimes the string will be at the beginning, sometimes anywhere in the payload. So I'd like tshark to search for a certain string and print out one line per occurrence of it - along with the timestamp. I'd like to process the timestamps later on to see how much the differ. OR == How can I make Tshark print out the data payload as ASCII on a *single* line instead of the hex/ascii array? Of course, this is going to lead to lines that are 1600 characters long, but I don't care about that. Then I could simply grep for the ASCII string I'm looking for, and with a bit of scripting and a file that holds one search string per line, I should be able to let it run automatically (I am aware that this is going to take ages...) I've tried this: tshark -r file.pcap -T fields -e data This yields to output in hex, which I could cope with, but it lacks the timestamp. "-T text" gives timestamps and a bit more, but no hex/ascii data from the payload. If i add "-V", I can see the ASCII string I'm looking for - but in the multiline hex array output format. TIA & best regards Marc _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
