Wireshark-users: [Wireshark-users] tshark and tcp.segment output

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: William Boatin <William.Boatin@xxxxxxxxxxxxxxxxx>
Date: Mon, 24 Aug 2009 17:07:01 -0400

Hi guys

Please allow me to set up my question.

I have successfully used tshark to output pdml amd PSML.

PDML contains WAY too much info; PSML too little.

So I have resorted to using the –T fields option to pick out what I want

I am able to capture all the packets I think I need to parse out the info I need, but am stumped on finding out the total time taken to complete a response,

From PDML output, I can see the information I could potentially use to figure this out: the re-assembled tcp segments.

For example:

 

<proto name="fake-field-wrapper">

  <field name="tcp.segments" showname="Reassembled TCP Segments (73278 bytes): #16(1460), #17(1460), #19(1460), #20(1460), #21(1460), #" size="73278" pos="0" show="" value="">

    <field name="tcp.segment" showname="Frame: 16, payload: 0-1459 (1460 bytes)" size="1460" pos="0" show="16" />

    <field name="tcp.segment" showname="Frame: 17, payload: 1460-2919 (1460 bytes)" size="1460" pos="1460" show="17" />

    <field name="tcp.segment" showname="Frame: 19, payload: 2920-4379 (1460 bytes)" size="1460" pos="2920" show="19" />

    <field name="tcp.segment" showname="Frame: 20, payload: 4380-5839 (1460 bytes)" size="1460" pos="4380" show="20" />

    <field name="tcp.segment" showname="Frame: 21, payload: 5840-7299 (1460 bytes)" size="1460" pos="5840" show="21" />

    <field name="tcp.segment" showname="Frame: 23, payload: 7300-8759 (1460 bytes)" size="1460" pos="7300" show="23" />

    <field name="tcp.segment" showname="Frame: 24, payload: 8760-10219 (1460 bytes)" size="1460" pos="8760" show="24" />

    <field name="tcp.segment" showname="Frame: 25, payload: 10220-11679 (1460 bytes)" size="1460" pos="10220" show="25" />

    <field name="tcp.segment" showname="Frame: 27, payload: 11680-13139 (1460 bytes)" size="1460" pos="11680" show="27" />

    <field name="tcp.segment" showname="Frame: 28, payload: 13140-14599 (1460 bytes)" size="1460" pos="13140" show="28" />

    <field name="tcp.segment" showname="Frame: 29, payload: 14600-16059 (1460 bytes)" size="1460" pos="14600" show="29" />

    <field name="tcp.segment" showname="Frame: 31, payload: 16060-17519 (1460 bytes)" size="1460" pos="16060" show="31" />

    <field name="tcp.segment" showname="Frame: 32, payload: 17520-18979 (1460 bytes)" size="1460" pos="17520" show="32" />

    <field name="tcp.segment" showname="Frame: 34, payload: 18980-20439 (1460 bytes)" size="1460" pos="18980" show="34" />

    <field name="tcp.segment" showname="Frame: 35, payload: 20440-21899 (1460 bytes)" size="1460" pos="20440" show="35" />

    <field name="tcp.segment" showname="Frame: 37, payload: 21900-23359 (1460 bytes)" size="1460" pos="21900" show="37" />

    <field name="tcp.segment" showname="Frame: 38, payload: 23360-24819 (1460 bytes)" size="1460" pos="23360" show="38" />

    <field name="tcp.segment" showname="Frame: 40, payload: 24820-26279 (1460 bytes)" size="1460" pos="24820" show="40" />

    <field name="tcp.segment" showname="Frame: 41, payload: 26280-27739 (1460 bytes)" size="1460" pos="26280" show="41" />

    <field name="tcp.segment" showname="Frame: 43, payload: 27740-29199 (1460 bytes)" size="1460" pos="27740" show="43" />

    <field name="tcp.segment" showname="Frame: 44, payload: 29200-30659 (1460 bytes)" size="1460" pos="29200" show="44" />

    <field name="tcp.segment" showname="Frame: 45, payload: 30660-32119 (1460 bytes)" size="1460" pos="30660" show="45" />

    <field name="tcp.segment" showname="Frame: 47, payload: 32120-33579 (1460 bytes)" size="1460" pos="32120" show="47" />

    <field name="tcp.segment" showname="Frame: 48, payload: 33580-35039 (1460 bytes)" size="1460" pos="33580" show="48" />

  </field>

</proto>

 

However, I can't get tshark to output all the tcp.segment nodes. I only get the last one.

This is my argument list for tshark:

 

-i 2 -T fields -E header=y -E separator="#" -e ip.src -e ip.dst -e frame.time -e ip.src_host -e ip.dst_host -e http.request.method -e http.content_length -e http.content_type -e http.host -e http.request.uri -f "tcp port 80"

       

So finally my questions are

1)      Can tshark output ALL the tcp.segment info?

2)      Could I somehow change the data that psml/pdml outputs?

3)      I also need to connect a response to a request; how do I do that?

4)       

Thanks!

 

GreenSig