streamfilter

#!/bin/bash

# streamfilter v1.0 - a tool by @deadPix3l (CTN2 Curtis)
if [ $# -ne 2 ]; then
	echo "usage: $0 file.pcap \"filter\""
	echo "this script will find all tcp streams that contains packets matching the filter"
	echo "and filter for those streams. it allows you to keep entire streams that match instead of individual packets"
	echo ""
	echo "NOTE: a side effect is that no matter what, it will keep all udp traffic"
	echo " this may or may not be remedied at some future time"
	echo ""
	echo "WARNING: this will overwrite \"streamfilter.pcap\", which is a hardcoded filename. This is being updated currently"
	echo "These changes can be expected soon. in the meantime, please be aware this project is in Alpha and is not entirely stable."
	exit 1
fi

filter=$(tshark -r $1 -Y "$2" -n -Tfields -e tcp.stream |\
sort -un | awk '{printf "tcp.stream eq "$0" || "}END{print "udp"}')
tshark -r $1 -Y "$filter" -w streamfilter.pcap