Wireshark · Wireshark-users: Re: [Wireshark-users] TCP Stream analysis using wireshark API

Wireshark-users: Re: [Wireshark-users] TCP Stream analysis using wireshark API

From: Sake Blok <sake@xxxxxxxxxx>

Date: Tue, 4 Jan 2011 09:43:27 +0100

On 4 jan 2011, at 01:26, Pushkar Tiwari wrote:

> I am trying to write an application that can do TCP stream analysis from the input pcap file. I am interested in following parameters:
>  - Total number of TCP streams
>  - Source IP, Source Port, Dest IP, Dest Port of each stream
>  - Stream length (inbound and outbound)
>  - Application porotocol like HTTP if any
>  - Querying PCAP file based on above parameters, like check if there is a stream with specified source IP and Port
>  
> Can I achieve all of these tasks using some Wireshark API in my program? If not any other library that can help to achieve it.

You can achieve most of your objectives with tshark:

$ tshark -r ../pcap/http.cap -qz conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.1.43:50171   <-> 109.74.197.217:http      614    916576     362     28752     976    945328
192.168.1.43:50180   <-> 217.196.32.147:http      265    352526     203     35931     468    388457
192.168.1.43:50181   <-> 217.196.32.147:http      255    342522     197     36468     452    378990
192.168.1.43:50173   <-> 109.74.197.217:http      200    290884     125     11707     325    302591
192.168.1.43:50245   <-> 82.94.174.141:http       143    209012      92     10849     235    219861
192.168.1.43:50176   <-> 217.196.32.16:http       140    207808      80      5845     220    213653
192.168.1.43:50204   <-> 209.84.12.126:http        94    136365      57      7290     151    143655
192.168.1.43:50254   <-> 82.94.174.141:http        49     67994      35      5431      84     73425
192.168.1.43:50166   <-> 66.102.13.103:http        44     53406      39      7799      83     61205
192.168.1.43:50167   <-> 66.102.13.101:http        25      9752      44     17190      69     26942
192.168.1.43:50255   <-> 217.196.32.16:http        36     50344      26      2475      62     52819
[...]
192.168.1.43:50256   <-> 82.94.174.141:http         3      1919       4       931       7      2850
192.168.1.43:50253   <-> 66.102.13.145:http         3       691       4       941       7      1632
192.168.1.43:50257   <-> 82.94.174.141:http         2      1546       4       931       6      2477
192.168.1.43:49399   <-> 208.43.202.26:http         2       330       2       297       4       627
192.168.1.43:50092   <-> 66.220.145.40:http         2       261       2      1307       4      1568
================================================================================
$ 

Have a look at the manpage for more statistics options (-z ...).

Hope this helps,
Cheers,



Sake

References:
- [Wireshark-users] TCP Stream analysis using wireshark API
  - From: Pushkar Tiwari

Prev by Date: [Wireshark-users] TCP Stream analysis using wireshark API
Next by Date: [Wireshark-users] Question regarding Cisco Skinny
Previous by thread: [Wireshark-users] TCP Stream analysis using wireshark API
Next by thread: [Wireshark-users] Question regarding Cisco Skinny
Index(es):
- Date
- Thread