|
Hi Med,
This is "expected" behavior. Internally, Wireshark
uses conversations to keep track of sessions. These conversations are not
limited to TCP (also UDP traffic can cause a conversation entry to be created
for example). To make implementation easier, processing faster and memory
footprint lighter, I used the conversation index as value for tcp.stream. This
indeed means that there can be gaps in the numbering. Please also note that
tcp.stream can also be 0.
Hope this clarifies things,
Cheers,
Sake
----- Original Message -----
Sent: Friday, December 11, 2009 12:36
PM
Subject: [Wireshark-users] Regarding
tcp.stream filtering.
Hi everyone
I have made a bash script counting from 1
to whatever need.
It run a filter as tcp.stream == $count and do what you
can see...
1. tshark -r capture.cap -R "tcp.stream == $count" >
capture$count.stream
2. tshark -r capture.cap -R "tcp.stream == $count" -w
capture$count.cap
3. tshark -r capture.cap -q -z io,stat,120 >
capture$count.csv
In the first file I take the first packet and the
last packet and calculate the difference as when did the stream start and
end.
The next and third file I count number of packet and number of
bytes.
Doing that I found out that there might bee some gaps between
streams as 1, 2, 3, 5, 7, 8, 9, 10.
How is that?
I thought Wireshark /
tshark counted the stream and numbered in a series.
--
Med venlig hilsen
Rikard Svenningsen
Smalager
36
DK-7120
___________________________________________________________________________
Sent
via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
|