Re: tshark and tcp streams

[Martin Visser <martinvisser99 () gmail com>]

Douglas,

It might be worth submitting a bug report for a feature request for this.
There is no real reason why for instance Wireshark (bit harder with tshark)
couldn't "remember"  tcp.streams it has discovered and reuse those values
between files being opened, based on the IP address, TCP ports and SEQs. Of
course the problem is that Wireshark can't really verify the legitimacy of
doinng if it doesn't see the whole conversation. (Two captures from a year
apart might have the same IP address and TCP port pair and SEQ numbers that
are valid, but of course may or maynot be the same session/stream).
Regards, Martin

MartinVisser99 () gmail com


On Mon, May 31, 2010 at 2:43 PM, Douglas Ross <doug_ross_59 () yahoo co uk>wrote:

>  Hi Joke,
>
> Thanks for the added info.
> Yes I did realise that indices are restarted (from 0) at the start of a new
> file, so if a stream continues over from file.a into file.b, it will have
> different tcp.stream index in file.b :(
> That's why I raised my original request.
>
> Regards, and
> Goed gedaan :) (?)
> Doug
>
>  ------------------------------
> *From:* j.snelders <j.snelders () telfort nl>
> *To:* Community support list for Wireshark <wireshark-users () wireshark org>
> *Sent:* Mon, 31 May, 2010 1:31:13 AM
>
> *Subject:* Re: [Wireshark-users] tshark and tcp streams
>
> Hoi Doug,
>
> Graag gedaan;-)
>
> Just another note.
> If you use tcp.stream across multiple files, keep in mind that the stream
> index numbers can represent different combinations of ip-addresses and
> portnumbers;
> e.g.
> file a: tcp.stream==22    192.168.1.10    49653    207.241.229.39    80
> file b: tcp.stream==22    192.168.1.10    49664    207.204.17.246    80
> file c: tcp.stream==22
> file d: tcp.stream==22    192.168.1.10    49693    67.228.110.120    80
>
> BTW
> You can use mergecap to merge multiple capture into a single output file:
> mergecap -w test2905.pcap file_a.pcap file_b.pcap file_c.pcap file_d.pcap
> http://www.wireshark.org/docs/man-pages/mergecap.html
>
> Groetjes
> Joke
>
> On Sun, 30 May 2010 10:41:37 +0000 (GMT) Douglas Ross wrote:
> > Hi Joan,
> >
> > Thanks very much for taking the time to reply, and explain -- even doing
> > the job for me?;)
> >
> > I'm not familiar with tshark, as you may tell,?but I?guessed that the only
> > way would probably involve concatenating files first. However, I wanted?a
> > more automated method.
> >
> > A few years ago I did some analysis of ethereal files, and coded my own
> software
> > to extract data, automatically accessing the next available file,
> and?optionally
> > following files in real time. However, my data extraction routine was
> rather
> > basic.?So I was hoping to use tshark's tcp.stream recognition process to
> > improve on it.
> >
> > My current project requires more work of me to better understand the data
> > packaging layers, so I'll revisit my old code and perhaps integrate it
> with
> > tshark ..
> >
> > Thanks again, or dank u wel ;)
> >
> > Goeiendag
> > Doug
> > (excuse my Dutch?:(
> Goed gedaan;-)
>
> > ________________________________
> > From: j.snelders <j.snelders () telfort nl>
> > To: Community support list for Wireshark <wireshark-users () wireshark org>
> > Sent: Sat, 29 May, 2010 9:31:17 PM
> > Subject: Re: [Wireshark-users] tshark and tcp streams
> >
> > Hi Douglas,
> >
> > Can TShark statistics help you?
> > Create a table that lists all conversations that could be seen in the
> capture
> > file:
> > -z? conv,type[,filter]
> > http://www.wireshark.org/docs/man-pages/tshark.html
> >
> > Run this script to create a table that lists the conversations in multiple
> > files.
> > Use paste--serial to merge the text files.
> > Use rm to remove the temporary files.
> >
> > for file in `ls -1 test2905*.pcap`
> > do
> > ? tshark -r $file -q -z conv,tcp > tmp-$file.txt
> > done
> > paste --serial tmp*.pcap.txt > test2905.txt
> > rm -f tmp-*
> >
> >
> > Look for the conversation you want to extract from the capture files:
> > TCP Conversations
> > ??? Filter:<No Filter>
> > ??? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? |? ? ? <-? ? ? | |? ?
>
> > ->? ? ? | |? ? Total? ? |
> > ??? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | Frames? Bytes | |
> Frames
> > Bytes | | Frames? Bytes |
> > ??? 192.168.1.10:49664? <-> 207.204.17.246:80 <http://207.204.17.246/>? ?
> ? ? 83? ? 121342? ? ? 42
> > ? ? 2622? ? 125? ? 123964
> >
> > Create a display filter:
> > ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 &&
> tcp.port==80
> > Run this script to save the packets to separate files, merge these files
> > and remove the temporary files:
> >
> > for file in `ls -1 test2905*.pcap`
> > do
> > ? tshark -r $file -w tmp-$file -R "ip.addr==192.168.1.10 &&
> tcp.port==49664
> > && ip.addr==207.204.17.246 && tcp.port==80"
> > done
> > mergecap -w test2905c.pcap tmp-*
> > rm -f tmp-*
> >
> >
> > Hope this helps
> > Joan
> >
> >
> > On Fri, 28 May 2010 21:29:42 +0000 (GMT) Douglas Ross wrote:
> > > Thanks to Abhik for revealing the tshark commands: -T fields -e
> tcp.stream
> > > (see tshark command 19-21 May)
> > >
> > > But, does anyone know how to get tshark to follow streams across capture
> > > files ?
> > >
> > > Cheers
> > > Doug
>
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe