Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Following streams across multiple files

From: "Sake Blok" <sake () euronet nl>
Date: Sat, 10 Oct 2009 15:14:38 +0200
The reason for "Follow TCP Stream" to use the tcp.stream fiels is to distinguish between two conversations that use the 
same tuple (which happens when port numbers are reused). Unfortunately this does not identify TCP streams across 
tracefiles. You can either create the "old" conversation filter by hand, or you could use the conversation filter to 
create it for you (rightclick on the packetlist and choose conversation filter -> TCP).

But.... for the purpose of the original poster, tcpflow might be more convenient:

"tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way 
that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the 
wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the 
actual data streams and stores each flow in a separate file for later analysis. "

(see: http://www.circlemud.org/~jelson/software/tcpflow/)

Cheers,


Sake

  ----- Original Message ----- 
  From: Martin Visser 
  To: Community support list for Wireshark 
  Sent: Saturday, October 10, 2009 2:54 PM
  Subject: Re: [Wireshark-users] Following streams across multiple files


  Not really.


  You have two options though. One is simple to merge all of the capture files and the use follow TCP stream then over 
that merged capture. But of course the reason you have separate files might well be for size reasons, so joining them 
might not be practical.


  The second is for you to identify what makes a stream and use that. For a stream (in a general sense) is identified 
by a tuple (a set) of the source and destination IP addresses and TCP ports. In older versions of wireshark when you 
did "Follow TCP stream" it would prepare a display filter with this tuple and display it, as below


  (ip.addr eq 192.168.0.118 and ip.addr eq 212.58.253.70) and (tcp.port eq 43047 and tcp.port eq 80)


  Now if you then copied this display filter, and then opened a different capture file it, it could then be used as a 
display filter to show the  same stream.


  Now in newer versions of Wireshark (I'm not sure exactly when this appeared), when you "Follow TCP Stream", you now 
get a display filter something like:-


  tcp.stream eq 54


  Now for most purposes this makes it easier to select and remember different streams, the "tcp.stream" is a generated 
field that only has relevance to the capture file loaded. Basically for every new TCP stream that wireshark decodes 
(based on each unique source and dest IP and TCP port tuple) it generates a new TCP stream. And of course each capture 
file will almost certainly have different streams and probably appearing in different order. The only easy way that I 
can see to create a display filter that references a particular stream across different captures (in the newer 
Wireshark versions)  is unfortunately going to need to be done manually and would follow the first format I mentioned. 





  Regards, Martin

  MartinVisser99 () gmail com



  On Sat, Oct 10, 2009 at 12:01 PM, Ray Simard <rhs.wshark () sylvan-glade com> wrote:

    Is there a way to follow a TCP (or other) stream over a file set?  This
    feature is completely new to me so I'm not well versed in it, but I
    haven't seen anything about it in the docs so far.

    I've been able to assemble streams from multiple files by saving them
    separately and then concatenating them, using IP addresses and port
    number to identify them, but if there's an easier way I'd love to find
    out about it.

    Thanks,
    Ray
    ___________________________________________________________________________
    Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
    Archives:    http://www.wireshark.org/lists/wireshark-users
    Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
                mailto:wireshark-users-request () wireshark org?subject=unsubscribe





------------------------------------------------------------------------------


  ___________________________________________________________________________
  Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
  Archives:    http://www.wireshark.org/lists/wireshark-users
  Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
               mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: