Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Regarding tcp.stream filtering.

From: "Sake Blok" <sake () euronet nl>
Date: Fri, 11 Dec 2009 12:57:53 +0100
Hi Med,

This is "expected" behavior. Internally, Wireshark uses conversations to keep track of sessions. These conversations 
are not limited to TCP (also UDP traffic can cause a conversation entry to be created for example). To make 
implementation easier, processing faster and memory footprint lighter, I used the conversation index as value for 
tcp.stream. This indeed means that there can be gaps in the numbering. Please also note that tcp.stream can also be 0.

Hope this clarifies things,
Cheers,


Sake

  ----- Original Message ----- 
  From: Rikard Svenningsen 
  To: Wireshark user group 
  Sent: Friday, December 11, 2009 12:36 PM
  Subject: [Wireshark-users] Regarding tcp.stream filtering.


  Hi everyone 

  I have made a bash script counting from 1 to whatever need.
  It run a filter as tcp.stream == $count and do what you can see...

  1. tshark -r capture.cap -R "tcp.stream == $count" > capture$count.stream
  2. tshark -r capture.cap -R "tcp.stream == $count" -w capture$count.cap
  3. tshark -r capture.cap -q -z io,stat,120 > capture$count.csv

  In the first file I take the first packet and the last packet and calculate the difference as when did the stream 
start and end.
  The next and third file I count number of packet and number of bytes.

  Doing that I found out that there might bee some gaps between streams as 1, 2, 3, 5, 7, 8, 9, 10.
  How is that?
  I thought Wireshark / tshark counted the stream and numbered in a series.



  -- 
  Med venlig hilsen
  Rikard Svenningsen
  Smalager 36
  DK-7120



------------------------------------------------------------------------------


  ___________________________________________________________________________
  Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
  Archives:    http://www.wireshark.org/lists/wireshark-users
  Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
               mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: