Wireshark mailing list archives
filter on direction of (MP)TCP flow
From: Matt <mattator () gmail com>
Date: Mon, 9 May 2016 18:07:05 +0200
Hi, I typically use wireshark to export pcap dissection to csv (via tshark), load these csv files via pandas (a really great python library http://pandas.org) and then do some magic and generate some matplotlib plots. Sometimes, I need to filter packets to keep only one direction; from client to server or reverse. To the best of my knowledge, the current way to do it is to filter on ips ? such as "tcp.stream == 0 and src.ip == <IP>". For TCP, finding the IP depending on the direction (client or server) is as simple as finding who sent the SYN but I mostly work with MPTCP in which case it is trickier. I would like to do "mptcp.stream == 0 && mptcp.dst == server", mptcp.dst being one of client/server/unknown. Would this be ok to send such a patch ? (I would also do it for tcp). Another approach, somewhat orthogonal would be to have wireshark map addresses to a host. The hosts <-> adresses mappings could be done manually, loading from a file a list of IPs/MACs and/or completed by wireshark. For instance in Multipath TCP (MPTCP) communications, providing that the whole communication is captured (including SYN packets), it is possible to map the different IPs to a their respective host (depending on the MPTCP token, one knows if the TCP subflow was initiated by the server or by the client). In my case, I often work/analyze multihomed communications (which may get more and more usual with protocols such as MPTCP, LISP, TRILL) and filtering on IPs can become tedious, especially when trying to automatize captures, hence the proposition. One could do sthg like: "tcp.dst == server and ip.src in host('client')" with host(hostname) or host(<ip>) returning the set of addresses assigned to this host so that "tcp.dst == server and eth.src in host(192.168.1.1)" could also be possible. Regards Matt ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- filter on direction of (MP)TCP flow Matt (May 09)