Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP Stream analysis using wireshark API

From: Sake Blok <sake () euronet nl>
Date: Tue, 4 Jan 2011 09:43:27 +0100
On 4 jan 2011, at 01:26, Pushkar Tiwari wrote:


I am trying to write an application that can do TCP stream analysis from the input pcap file. I am interested in 
following parameters:
 - Total number of TCP streams
 - Source IP, Source Port, Dest IP, Dest Port of each stream
 - Stream length (inbound and outbound)
 - Application porotocol like HTTP if any
 - Querying PCAP file based on above parameters, like check if there is a stream with specified source IP and Port
 
Can I achieve all of these tasks using some Wireshark API in my program? If not any other library that can help to 
achieve it.


You can achieve most of your objectives with tshark:

$ tshark -r ../pcap/http.cap -qz conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.1.43:50171   <-> 109.74.197.217:http      614    916576     362     28752     976    945328
192.168.1.43:50180   <-> 217.196.32.147:http      265    352526     203     35931     468    388457
192.168.1.43:50181   <-> 217.196.32.147:http      255    342522     197     36468     452    378990
192.168.1.43:50173   <-> 109.74.197.217:http      200    290884     125     11707     325    302591
192.168.1.43:50245   <-> 82.94.174.141:http       143    209012      92     10849     235    219861
192.168.1.43:50176   <-> 217.196.32.16:http       140    207808      80      5845     220    213653
192.168.1.43:50204   <-> 209.84.12.126:http        94    136365      57      7290     151    143655
192.168.1.43:50254   <-> 82.94.174.141:http        49     67994      35      5431      84     73425
192.168.1.43:50166   <-> 66.102.13.103:http        44     53406      39      7799      83     61205
192.168.1.43:50167   <-> 66.102.13.101:http        25      9752      44     17190      69     26942
192.168.1.43:50255   <-> 217.196.32.16:http        36     50344      26      2475      62     52819
[...]
192.168.1.43:50256   <-> 82.94.174.141:http         3      1919       4       931       7      2850
192.168.1.43:50253   <-> 66.102.13.145:http         3       691       4       941       7      1632
192.168.1.43:50257   <-> 82.94.174.141:http         2      1546       4       931       6      2477
192.168.1.43:49399   <-> 208.43.202.26:http         2       330       2       297       4       627
192.168.1.43:50092   <-> 66.220.145.40:http         2       261       2      1307       4      1568
================================================================================
$ 

Have a look at the manpage for more statistics options (-z ...).

Hope this helps,
Cheers,



Sake

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: