Wireshark-users: Re: [Wireshark-users] Number of connections to host IP address?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: John Hinckley <john@xxxxxxxxxxxxxxxx>
Date: Mon, 7 Dec 2009 20:39:07 -0800
OmniPeek can probably do what you want but it is somewhat expensive. 

http://www.wildpackets.com/products/network_analysis/omnipeek_network_analyzer

On Mon, Dec 7, 2009 at 7:47 AM, James Taylor <gmane@xxxxxxxxxxxxxxxxxxx> wrote:
On 2009-12-04, dkraut wrote:

> I've been asked to find out if Wireshark has the ability to determine the
> active number of connections at a given time?  For example, If I perform
> a capture of all traffic to/from our DB server from 3pm to 4pm, is there
> anyway to tell how many active connections there were to the DB IP address
> at 3pm, 3:15pm, 3:30pm, etc.?

Wireshark can't do this, but you can simply run the capture file through
Ostermann's tcptrace <http://www.tcptrace.org/> to produce a graph of
the number of open connections over time. The options would be something
like this:

$ tcptrace -n -xtraffic' -i5 -p1-1023 -C -O' capture_file

The -x invokes the "traffic" module of tcptrace, and that module's
options must be enclosed in quotes as shown so that they do not get
interpreted as options of tcptrace itself. In combination with xplot
<http://www.xplot.org/>, tcptrace is a fantastic tool for TCP analysis
and produces much better time-sequence graphs than Wireshark, amongst
other things.

> The problem we're trying to solve here is that there appear to be far too
> many connections to this server at certain times during the day and the
> server admins believe that someone is attacking the server in someway and
> have asked me to investigate for any anomalies

Half-open connections can also be graphed (with -H) and this might show
up the specific times of server overload quite well. tcptrace's traffic
module has usage help available by typing:

$ tcptrace -hxargs

 Module traffic:
    usage:
       -xtraffic"[ARGS]"       print info about overall traffic
          module argument format:
              -iS          set statistics interval to S (float)
                            seconds, default 15.0
              -pP          include information on port P
              -pP1-P2      include information on ports in
                            the range [P1-P2]
              -p-P         exclude information on port P
              -p-P1-P2     exclude information on ports in the
                            range [P1-P2]
              -pSPEC,SPEC  commas chain together specs
              -G           generate all graphs
              -A           generate the 'active connections' graph
              -B           generate the 'bytes per second' graph
              -C           generate the 'opens and closes' graph
              -H           generate the 'halfopen connections' graph
              -K           generate the 'pure acKs/second' graph
              -L           generate the 'losses per second' graph
              -O           generate the 'open connections' graph
              -I           generate the 'instantaneous open
                            connections' graph
              -P           generate the 'packets per second' graph
              -Q           generate the 'idle (Quiet) connections'
                            graph
              -R[MIN[-MAX]]generate the 'round trip time' graph
                           with args, ignore samples outside
                            MIN to MAX (in ms)
              -T           generate the 'total data' graph
              -D[SECS]     generate the 'long duration connection'
                            graph
                           default definition of 'long' is 60 seconds
              -d           enable local debugging in this module
            Examples
              -xtraffic" -p23"            only port 23
              -xtraffic" -p1-1023"        only ports 1-1023
              -xtraffic"-p1-1023,-10-20 -L -O"  only ports 1-1023,
                                              but exclude ports 10-20
            With no ports specification, all ports are gathered.
             With ANY spec, all ports are initially EXCLUDED


--
James Taylor

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe