I'm trying to analyze JSON-RPC traffic from an application to understand an undocumented protocol. So far, I've been using Wireshark's "follow TCP stream" feature, but there's a lot of clicking involved.
Could I use tcpdump or tshark to accomplish something similar?
I simply need all of the the TCP stream data going from/to a specific host dumped to stdout.
What you are looking for is Bro's contents script to record the payload of a TCP stream. Just invoke Bro as follows:
bro -r trace.pcap contents
which will create files in the form of
contents.<sourceIP>.<sourcePORT>-<destinationIP>.<destinationPORT>
per flow. What you get with Bro is a thoroughly tested TCP reassembler, which makes it the ideal tool for payload inspection and higher-level protocol analysis.