Wireshark-users: Re: [Wireshark-users] tshark and tcp streams
From: Douglas Ross <doug_ross_59@xxxxxxxxxxx>
Date: Mon, 31 May 2010 07:39:36 +0000 (GMT)
Hi Martin,
Thanks for the suggestion. I'll try submitting a bug/ehancement request.
I don't think Wireshark would have a problem reasonably identifying and equating streams, if it includes a check of time stamps.
Regards
Doug
From: Martin Visser <martinvisser99@xxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Mon, 31 May, 2010 3:30:57 PM
Subject: Re: [Wireshark-users] tshark and tcp streams
Douglas,
It might be worth submitting a bug report for a feature request for this. There is no real reason why for instance Wireshark (bit harder with tshark) couldn't "remember" tcp.streams it has discovered and reuse those values between files being opened, based on the IP address, TCP ports and SEQs. Of course the problem is that Wireshark can't really verify the legitimacy of doinng if it doesn't see the whole conversation. (Two captures from a year apart might have the same IP address and TCP port pair and SEQ numbers that are valid, but of course may or maynot be the same session/stream).
On Mon, May 31, 2010 at 2:43 PM, Douglas Ross <doug_ross_59@xxxxxxxxxxx> wrote:
Hi Joke,Thanks for the added info.Yes I did realise that indices are restarted (from 0) at the start of a new file, so if a stream continues over from file.a into file.b, it will have different tcp.stream index in file.b :(
That's why I raised my original request.Regards, andGoed gedaan :) (?)Doug
Sent: Mon, 31 May, 2010 1:31:13 AM
From: j.snelders <j.snelders@xxxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark and tcp streams
Hoi Doug,
Graag gedaan;-)
Just another note.
If you use tcp.stream across multiple files, keep in mind that the stream
index numbers can represent different combinations of ip-addresses and portnumbers;
e.g.
file a: tcp.stream==22 192.168.1.10 49653 207.241.229.39 80
file b: tcp.stream==22 192.168.1.10 49664 207.204.17.246 80
file c: tcp.stream==22
file d: tcp.stream==22 192.168.1.10 49693 67.228.110.120 80
BTW
You can use mergecap to merge multiple capture into a single output file:
mergecap -w test2905.pcap file_a.pcap file_b.pcap file_c.pcap file_d.pcap
http://www.wireshark.org/docs/man-pages/mergecap.html
Groetjes
Joke
On Sun, 30 May 2010 10:41:37 +0000 (GMT) Douglas Ross wrote:
>Hi Joan,
>
>Thanks very much for taking the time to reply, and explain -- even doing
>the job for me?;)
>
>I'm not familiar with tshark, as you may tell,?but I?guessed that the only
>way would probably involve concatenating files first. However, I wanted?a
>more automated method.
>
>A few years ago I did some analysis of ethereal files, and coded my own
software
>to extract data, automatically accessing the next available file, and?optionally
>following files in real time. However, my data extraction routine was rather
>basic.?So I was hoping to use tshark's tcp.stream recognition process to
>improve on it.
>
>My current project requires more work of me to better understand the data
>packaging layers, so I'll revisit my old code and perhaps integrate it with
>tshark ..
>
>Thanks again, or dank u wel ;)
>
>Goeiendag
>Doug
>(excuse my Dutch?:(
Goed gedaan;-)
>
>________________________________
>From: j.snelders <j.snelders@xxxxxxxxxx>
>To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>Sent: Sat, 29 May, 2010 9:31:17 PM
>Subject: Re: [Wireshark-users] tshark and tcp streams
>
>Hi Douglas,
>
>Can TShark statistics help you?
>Create a table that lists all conversations that could be seen in the capture
>file:
>-z? conv,type[,filter]
>http://www.wireshark.org/docs/man-pages/tshark.html
>
>Run this script to create a table that lists the conversations in multiple
>files.
>Use paste--serial to merge the text files.
>Use rm to remove the temporary files.
>
>for file in `ls -1 test2905*.pcap`
>do
>? tshark -r $file -q -z conv,tcp > tmp-$file.txt
>done
>paste --serial tmp*.pcap.txt > test2905.txt
>rm -f tmp-*
>
>
>Look for the conversation you want to extract from the capture files:
>TCP Conversations
>??? Filter:<No Filter>
>??? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? |? ? ? <-? ? ? | |? ?
>->? ? ? | |? ? Total? ? |
>??? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | Frames? Bytes | | Frames
>Bytes | | Frames? Bytes |
>??? 192.168.1.10:49664? <-> 207.204.17.246:80? ? ? ? 83? ? 121342? ? ? 42
>? ? 2622? ? 125? ? 123964
>
>Create a display filter:
>ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 && tcp.port==80
>
>
>Run this script to save the packets to separate files, merge these files
>and remove the temporary files:
>
>for file in `ls -1 test2905*.pcap`
>do
>? tshark -r $file -w tmp-$file -R "ip.addr==192.168.1.10 && tcp.port==49664
>&& ip.addr==207.204.17.246 && tcp.port==80"
>done
>mergecap -w test2905c.pcap tmp-*
>rm -f tmp-*
>
>
>Hope this helps
>Joan
>
>
>On Fri, 28 May 2010 21:29:42 +0000 (GMT) Douglas Ross wrote:
>>Thanks to Abhik for revealing the tshark commands: -T fields -e tcp.stream
>>(see tshark command 19-21 May)
>>
>>But, does anyone know how to get tshark to follow streams across capture
>>files ?
>>
>>Cheers
>>Doug
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- Re: [Wireshark-users] tshark and tcp streams
- From: j.snelders
- Re: [Wireshark-users] tshark and tcp streams
- From: Douglas Ross
- Re: [Wireshark-users] tshark and tcp streams
- From: Martin Visser
- Re: [Wireshark-users] tshark and tcp streams
- Prev by Date: Re: [Wireshark-users] Apply as column
- Next by Date: Re: [Wireshark-users] start stop tshark
- Previous by thread: Re: [Wireshark-users] tshark and tcp streams
- Next by thread: [Wireshark-users] IP Error (Header Checksum) can effect Jitter calculation ?
- Index(es):