Regarding tcp.stream filtering.

[Rikard Svenningsen <wireshark () svenningsen dk>]

Hi everyone

I have made a bash script counting from 1 to whatever need.
It run a filter as tcp.stream == $count and do what you can see...

1. tshark -r capture.cap -R "tcp.stream == $count" > capture$count.stream
2. tshark -r capture.cap -R "tcp.stream == $count" -w capture$count.cap
3. tshark -r capture.cap -q -z io,stat,120 > capture$count.csv

In the first file I take the first packet and the last packet and calculate
the difference as when did the stream start and end.
The next and third file I count number of packet and number of bytes.

Doing that I found out that there might bee some gaps between streams as 1,
2, 3, 5, 7, 8, 9, 10.
How is that?
I thought Wireshark / tshark counted the stream and numbered in a series.



-- 
Med venlig hilsen
Rikard Svenningsen
Smalager 36
DK-7120

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe