Wireshark mailing list archives
Re: TCP Stream analysis using wireshark API
From: Sake Blok <sake () euronet nl>
Date: Tue, 4 Jan 2011 09:43:27 +0100
On 4 jan 2011, at 01:26, Pushkar Tiwari wrote:
I am trying to write an application that can do TCP stream analysis from the input pcap file. I am interested in following parameters: - Total number of TCP streams - Source IP, Source Port, Dest IP, Dest Port of each stream - Stream length (inbound and outbound) - Application porotocol like HTTP if any - Querying PCAP file based on above parameters, like check if there is a stream with specified source IP and Port Can I achieve all of these tasks using some Wireshark API in my program? If not any other library that can help to achieve it.
You can achieve most of your objectives with tshark: $ tshark -r ../pcap/http.cap -qz conv,tcp ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 192.168.1.43:50171 <-> 109.74.197.217:http 614 916576 362 28752 976 945328 192.168.1.43:50180 <-> 217.196.32.147:http 265 352526 203 35931 468 388457 192.168.1.43:50181 <-> 217.196.32.147:http 255 342522 197 36468 452 378990 192.168.1.43:50173 <-> 109.74.197.217:http 200 290884 125 11707 325 302591 192.168.1.43:50245 <-> 82.94.174.141:http 143 209012 92 10849 235 219861 192.168.1.43:50176 <-> 217.196.32.16:http 140 207808 80 5845 220 213653 192.168.1.43:50204 <-> 209.84.12.126:http 94 136365 57 7290 151 143655 192.168.1.43:50254 <-> 82.94.174.141:http 49 67994 35 5431 84 73425 192.168.1.43:50166 <-> 66.102.13.103:http 44 53406 39 7799 83 61205 192.168.1.43:50167 <-> 66.102.13.101:http 25 9752 44 17190 69 26942 192.168.1.43:50255 <-> 217.196.32.16:http 36 50344 26 2475 62 52819 [...] 192.168.1.43:50256 <-> 82.94.174.141:http 3 1919 4 931 7 2850 192.168.1.43:50253 <-> 66.102.13.145:http 3 691 4 941 7 1632 192.168.1.43:50257 <-> 82.94.174.141:http 2 1546 4 931 6 2477 192.168.1.43:49399 <-> 208.43.202.26:http 2 330 2 297 4 627 192.168.1.43:50092 <-> 66.220.145.40:http 2 261 2 1307 4 1568 ================================================================================ $ Have a look at the manpage for more statistics options (-z ...). Hope this helps, Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- TCP Stream analysis using wireshark API Pushkar Tiwari (Jan 03)
- Re: TCP Stream analysis using wireshark API Sake Blok (Jan 04)