Wireshark-users: Re: [Wireshark-users] Regarding tcp.stream filtering.
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Fri, 11 Dec 2009 12:57:53 +0100
Hi Med,
 
This is "expected" behavior. Internally, Wireshark uses conversations to keep track of sessions. These conversations are not limited to TCP (also UDP traffic can cause a conversation entry to be created for example). To make implementation easier, processing faster and memory footprint lighter, I used the conversation index as value for tcp.stream. This indeed means that there can be gaps in the numbering. Please also note that tcp.stream can also be 0.
 
Hope this clarifies things,
Cheers,
 
 
Sake
 
----- Original Message -----
Sent: Friday, December 11, 2009 12:36 PM
Subject: [Wireshark-users] Regarding tcp.stream filtering.

Hi everyone

I have made a bash script counting from 1 to whatever need.
It run a filter as tcp.stream == $count and do what you can see...

1. tshark -r capture.cap -R "tcp.stream == $count" > capture$count.stream
2. tshark -r capture.cap -R "tcp.stream == $count" -w capture$count.cap
3. tshark -r capture.cap -q -z io,stat,120 > capture$count.csv

In the first file I take the first packet and the last packet and calculate the difference as when did the stream start and end.
The next and third file I count number of packet and number of bytes.

Doing that I found out that there might bee some gaps between streams as 1, 2, 3, 5, 7, 8, 9, 10.
How is that?
I thought Wireshark / tshark counted the stream and numbered in a series.



--
Med venlig hilsen
Rikard Svenningsen
Smalager 36
DK-7120


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe