Wireshark mailing list archives
Re: tshark and tcp streams
From: "j.snelders" <j.snelders () telfort nl>
Date: Sun, 30 May 2010 17:31:13 +0200
Hoi Doug, Graag gedaan;-) Just another note. If you use tcp.stream across multiple files, keep in mind that the stream index numbers can represent different combinations of ip-addresses and portnumbers; e.g. file a: tcp.stream==22 192.168.1.10 49653 207.241.229.39 80 file b: tcp.stream==22 192.168.1.10 49664 207.204.17.246 80 file c: tcp.stream==22 file d: tcp.stream==22 192.168.1.10 49693 67.228.110.120 80 BTW You can use mergecap to merge multiple capture into a single output file: mergecap -w test2905.pcap file_a.pcap file_b.pcap file_c.pcap file_d.pcap http://www.wireshark.org/docs/man-pages/mergecap.html Groetjes Joke On Sun, 30 May 2010 10:41:37 +0000 (GMT) Douglas Ross wrote:
Hi Joan, Thanks very much for taking the time to reply, and explain -- even doing the job for me?;) I'm not familiar with tshark, as you may tell,?but I?guessed that the only way would probably involve concatenating files first. However, I wanted?a more automated method. A few years ago I did some analysis of ethereal files, and coded my own
software
to extract data, automatically accessing the next available file, and?optionally following files in real time. However, my data extraction routine was rather basic.?So I was hoping to use tshark's tcp.stream recognition process to improve on it. My current project requires more work of me to better understand the data packaging layers, so I'll revisit my old code and perhaps integrate it with tshark .. Thanks again, or dank u wel ;) Goeiendag Doug (excuse my Dutch?:(
Goed gedaan;-)
________________________________ From: j.snelders <j.snelders () telfort nl> To: Community support list for Wireshark <wireshark-users () wireshark org> Sent: Sat, 29 May, 2010 9:31:17 PM Subject: Re: [Wireshark-users] tshark and tcp streams Hi Douglas, Can TShark statistics help you? Create a table that lists all conversations that could be seen in the capture file: -z? conv,type[,filter] http://www.wireshark.org/docs/man-pages/tshark.html Run this script to create a table that lists the conversations in multiple files. Use paste--serial to merge the text files. Use rm to remove the temporary files. for file in `ls -1 test2905*.pcap` do ? tshark -r $file -q -z conv,tcp > tmp-$file.txt done paste --serial tmp*.pcap.txt > test2905.txt rm -f tmp-* Look for the conversation you want to extract from the capture files: TCP Conversations ??? Filter:<No Filter> ??? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? |? ? ? <-? ? ? | |? ?
->? ? ? | |? ? Total? ? | ??? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | Frames? Bytes | | Frames Bytes | | Frames? Bytes | ??? 192.168.1.10:49664? <-> 207.204.17.246:80? ? ? ? 83? ? 121342? ? ? 42 ? ? 2622? ? 125? ? 123964 Create a display filter: ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 && tcp.port==80 Run this script to save the packets to separate files, merge these files and remove the temporary files: for file in `ls -1 test2905*.pcap` do ? tshark -r $file -w tmp-$file -R "ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 && tcp.port==80" done mergecap -w test2905c.pcap tmp-* rm -f tmp-* Hope this helps Joan On Fri, 28 May 2010 21:29:42 +0000 (GMT) Douglas Ross wrote:Thanks to Abhik for revealing the tshark commands: -T fields -e tcp.stream (see tshark command 19-21 May) But, does anyone know how to get tshark to follow streams across capture files ? Cheers Doug
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark and tcp streams Douglas Ross (May 28)
- Re: tshark and tcp streams j.snelders (May 29)
- Re: tshark and tcp streams Douglas Ross (May 30)
- Re: tshark and tcp streams j.snelders (May 30)
- Re: tshark and tcp streams Douglas Ross (May 30)
- Re: tshark and tcp streams Martin Visser (May 30)
- Re: tshark and tcp streams Douglas Ross (May 31)
- Re: tshark and tcp streams Douglas Ross (May 30)
- Re: tshark and tcp streams j.snelders (May 29)