Wireshark-users: Re: [Wireshark-users] tshark and tcp streams

From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Sun, 30 May 2010 17:31:13 +0200
Hoi Doug,

Graag gedaan;-)

Just another note.
If you use tcp.stream across multiple files, keep in mind that the stream
index numbers can represent different combinations of ip-addresses and portnumbers;
e.g.
file a: tcp.stream==22	192.168.1.10	49653	207.241.229.39	80
file b: tcp.stream==22	192.168.1.10	49664	207.204.17.246	80
file c: tcp.stream==22
file d: tcp.stream==22	192.168.1.10	49693	67.228.110.120	80

BTW
You can use mergecap to merge multiple capture into a single output file:
mergecap -w test2905.pcap file_a.pcap file_b.pcap file_c.pcap file_d.pcap
http://www.wireshark.org/docs/man-pages/mergecap.html

Groetjes
Joke

On Sun, 30 May 2010 10:41:37 +0000 (GMT) Douglas Ross wrote:
>Hi Joan,
>
>Thanks very much for taking the time to reply, and explain -- even doing
>the job for me?;)
>
>I'm not familiar with tshark, as you may tell,?but I?guessed that the only
>way would probably involve concatenating files first. However, I wanted?a
>more automated method.
>
>A few years ago I did some analysis of ethereal files, and coded my own
software
>to extract data, automatically accessing the next available file, and?optionally
>following files in real time. However, my data extraction routine was rather
>basic.?So I was hoping to use tshark's tcp.stream recognition process to
>improve on it.
>
>My current project requires more work of me to better understand the data
>packaging layers, so I'll revisit my old code and perhaps integrate it with
>tshark .. 
>
>Thanks again, or dank u wel ;)
>
>Goeiendag
>Doug
>(excuse my Dutch?:(
Goed gedaan;-)

>
>________________________________
>From: j.snelders <j.snelders@xxxxxxxxxx>
>To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>Sent: Sat, 29 May, 2010 9:31:17 PM
>Subject: Re: [Wireshark-users] tshark and tcp streams
>
>Hi Douglas,
>
>Can TShark statistics help you?
>Create a table that lists all conversations that could be seen in the capture
>file:
>-z? conv,type[,filter]
>http://www.wireshark.org/docs/man-pages/tshark.html
>
>Run this script to create a table that lists the conversations in multiple
>files. 
>Use paste--serial to merge the text files.
>Use rm to remove the temporary files.
>
>for file in `ls -1 test2905*.pcap`
>do
>? tshark -r $file -q -z conv,tcp > tmp-$file.txt
>done
>paste --serial tmp*.pcap.txt > test2905.txt
>rm -f tmp-*
>
>
>Look for the conversation you want to extract from the capture files:
>TCP Conversations
>??? Filter:<No Filter>
>??? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? |? ? ? <-? ? ? | |? ?

>->? ? ? | |? ? Total? ? |
>??? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | Frames? Bytes | | Frames
>Bytes | | Frames? Bytes |
>??? 192.168.1.10:49664? <-> 207.204.17.246:80? ? ? ? 83? ? 121342? ? ? 42
>? ? 2622? ? 125? ? 123964
>
>Create a display filter:
>ip.addr==192.168.1.10 && tcp.port==49664 && ip.addr==207.204.17.246 && tcp.port==80
>
>
>Run this script to save the packets to separate files, merge these files
>and remove the temporary files:
>
>for file in `ls -1 test2905*.pcap`
>do
>? tshark -r $file -w tmp-$file -R "ip.addr==192.168.1.10 && tcp.port==49664
>&& ip.addr==207.204.17.246 && tcp.port==80"
>done
>mergecap -w test2905c.pcap tmp-*
>rm -f tmp-*
>
>
>Hope this helps
>Joan
>
>
>On Fri, 28 May 2010 21:29:42 +0000 (GMT) Douglas Ross wrote:
>>Thanks to Abhik for revealing the tshark commands: -T fields -e tcp.stream
>>(see tshark command 19-21 May)
>>
>>But, does anyone know how to get tshark to follow streams across capture
>>files ?
>>
>>Cheers
>>Doug