Hi guys Please allow me to set up my question. I have successfully used tshark to output pdml amd PSML. PDML contains WAY too much info; PSML too little. So I have resorted to using the –T fields option to
pick out what I want I am able to capture all the packets I think I need to parse
out the info I need, but am stumped on finding out the total time taken to
complete a response, From PDML output, I can see the information I could
potentially use to figure this out: the re-assembled tcp segments. For example: <proto name="fake-field-wrapper"> <field name="tcp.segments" showname="Reassembled TCP Segments (73278 bytes): #16(1460),
#17(1460), #19(1460), #20(1460), #21(1460), #" size="73278" pos="0" show="" value=""> <field name="tcp.segment" showname="Frame: 16, payload: 0-1459 (1460 bytes)" size="1460" pos="0" show="16" /> <field name="tcp.segment" showname="Frame: 17, payload: 1460-2919 (1460 bytes)" size="1460" pos="1460" show="17" /> <field name="tcp.segment" showname="Frame: 19, payload: 2920-4379 (1460 bytes)" size="1460" pos="2920" show="19" /> <field name="tcp.segment" showname="Frame: 20, payload: 4380-5839 (1460 bytes)" size="1460" pos="4380" show="20" /> <field name="tcp.segment" showname="Frame: 21, payload: 5840-7299 (1460 bytes)" size="1460" pos="5840" show="21" /> <field name="tcp.segment" showname="Frame: 23, payload: 7300-8759 (1460 bytes)" size="1460" pos="7300" show="23" /> <field name="tcp.segment" showname="Frame: 24, payload: 8760-10219 (1460 bytes)" size="1460" pos="8760" show="24" /> <field name="tcp.segment" showname="Frame: 25, payload: 10220-11679 (1460 bytes)" size="1460" pos="10220" show="25" /> <field name="tcp.segment" showname="Frame: 27, payload: 11680-13139 (1460 bytes)" size="1460" pos="11680" show="27" /> <field name="tcp.segment" showname="Frame: 28, payload: 13140-14599 (1460 bytes)" size="1460" pos="13140" show="28" /> <field name="tcp.segment" showname="Frame: 29, payload: 14600-16059 (1460 bytes)" size="1460" pos="14600" show="29" /> <field name="tcp.segment" showname="Frame: 31, payload: 16060-17519 (1460 bytes)" size="1460" pos="16060" show="31" /> <field name="tcp.segment" showname="Frame: 32, payload: 17520-18979 (1460 bytes)" size="1460" pos="17520" show="32" /> <field name="tcp.segment" showname="Frame: 34, payload: 18980-20439 (1460 bytes)" size="1460" pos="18980" show="34" /> <field name="tcp.segment" showname="Frame: 35, payload: 20440-21899 (1460 bytes)" size="1460" pos="20440" show="35" /> <field name="tcp.segment" showname="Frame: 37, payload: 21900-23359 (1460 bytes)" size="1460" pos="21900" show="37" /> <field name="tcp.segment" showname="Frame: 38, payload: 23360-24819 (1460 bytes)" size="1460" pos="23360" show="38" /> <field name="tcp.segment" showname="Frame: 40, payload: 24820-26279 (1460 bytes)" size="1460" pos="24820" show="40" /> <field name="tcp.segment" showname="Frame: 41, payload: 26280-27739 (1460 bytes)" size="1460" pos="26280" show="41" /> <field name="tcp.segment" showname="Frame: 43, payload: 27740-29199 (1460 bytes)" size="1460" pos="27740" show="43" /> <field name="tcp.segment" showname="Frame: 44, payload: 29200-30659 (1460 bytes)" size="1460" pos="29200" show="44" /> <field name="tcp.segment" showname="Frame: 45, payload: 30660-32119 (1460 bytes)" size="1460" pos="30660" show="45" /> <field name="tcp.segment" showname="Frame: 47, payload: 32120-33579 (1460 bytes)" size="1460" pos="32120" show="47" /> <field name="tcp.segment" showname="Frame: 48, payload: 33580-35039 (1460 bytes)" size="1460" pos="33580" show="48" /> </field> </proto> However, I can't get tshark to output all the tcp.segment
nodes. I only get the last one. This is my argument list for tshark: -i 2 -T fields -E header=y -E separator="#"
-e ip.src -e ip.dst -e frame.time -e ip.src_host -e ip.dst_host -e
http.request.method -e http.content_length -e http.content_type -e http.host -e
http.request.uri -f "tcp port 80" So finally my questions are 1)
Can tshark output ALL the tcp.segment info? 2)
Could I somehow change the data that psml/pdml outputs? 3)
I also need to connect a response to a request; how do
I do that? 4)
Thanks! |
- Prev by Date: Re: [Wireshark-users] Sharing CAP files with SSL without sharing private key
- Next by Date: Re: [Wireshark-users] Sharing CAP files with SSL without sharing private key
- Previous by thread: Re: [Wireshark-users] Sharing CAP files with SSL without sharing private key
- Next by thread: [Wireshark-users] Capture Filter not work for hub, seems like a bug?
- Index(es):