Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Combines multiple pcaps, extracts and decodes TCP streams.
# Takes multiple pcap files (packet*.pcap) and...
### Combines them into one pcap (combined.pcap)
### Detects the number of TCP streams
### For each stream, converts it to ascii and stores them in order in a file (encoded_streams.txt)
### Converts URL (percent encoded) values to plaintext equivalent (decoded_streams.txt)
# Run this in the same directory as your packet*.pcap files
import urllib
from subprocess import call, Popen, PIPE
# System call to combine all the packets
call("mergecap -w combined.pcap packet*", shell=True)
# Get the number of TCP Streams
# tshark -r combined.pcap -T fields -e | sort -u | wc -l
ps = Popen(['tshark', '-rcombined.pcap','-Tfields', ''], stdout=PIPE)
ps = Popen(['sort', '-u'], stdin=ps.stdout, stdout=PIPE)
ps = Popen(['wc', '-l'], stdin=ps.stdout, stdout=PIPE)
t = int(
for i in range (0, t):
#tshark -r combined.pcap -q -z follow,tcp,ascii,0
f = open("encoded_streams.txt", "a+")
command = ["tshark", "-rcombined.pcap", "-q", "-z", "follow,tcp,ascii," + str(i)]
call(command, stdout=f)
fin = open("encoded_streams.txt")
fout = open("decoded_streams.txt", "wt")
for line in fin:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment