If you use "Follow TCP stream" in wireshark you get a very nice display for the client server dialogue.

One color is the client, the other color is the server.

Is there a way to dump this to a ascii without loosing who said what?

For example:

server> 220 "Welcome to FTP service for foo-server."
client> USER baruser
server> 331 Please specify the password.
client> supersecret

I want to avoid screenshots. Adding "server>" and "client>" to the lines is error prone.

It may not be possible with the GUI version, but it's achievable with the console version tshark:

tshark -r capture.pcap -qz follow,tcp,ascii,<stream_id> > stream.txt

Replace <stream_id> with an actual stream ID (eg: 1):

tshark -r capture.pcap -qz follow,tcp,ascii,1 > stream.txt

This will output an ASCII file. How is it better than saving it directly from the GUI version? Well:

• The data sent by the second node is prefixed with a tab to differentiate it from the data sent by the first node.

• Since the output in ascii mode may contain newlines, the length of each section of output plus a newline precedes each section of output.

This makes the file easily parsable. Example output:

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 1
Node 0: xxx.xxx.xxx.xxx:51343
Node 1: yyy.yyy.yyy.yyy:80
786
GET ...
Host: ...
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
User-Agent: ...
Referer: ...
Accept-Encoding: ...
Accept-Language: ...
Cookie: ...

    235
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: ...
Expires: -1
X-Request-Guid: ...
Date: Mon, 31 Aug 2015 10:55:46 GMT
Content-Length: 0         
===================================================================

786\n is the length of the first output section from Node 0. \t235\n is the legnth of the response section from Node 1 and so on.