Wireshark-users: Re: [Wireshark-users] Graph number of concurrent HTTP connections?

From: noah davids <ndav1@xxxxxxx>
Date: Sun, 22 May 2016 06:56:14 -0700

The following will give you a running count of the number of connections in column 1. You can then use your favorite graphing routine to graph the count. This assumes bash or some similar shell command.

c=0 tshark -r foo.pcap -Y "not tcp.analysis.retransmission && (tcp.flags.syn == 1 || tcp.flags.fin == 1 || tcp.flags.reset == 1) && tcp.port == 80" -T fields -e tcp.flags.syn -e tcp.flags.fin -e tcp.flags.reset | while read s f r; do ((c=$c+$s-$f-$r)); echo $c $s $f $r;done > foo


This will give you a sorted list of the number of connections along with the time stamp from the trace. This might be easier to correlate with any proxy logs.

$ c=0 tshark -r foo.pcap -Y "not tcp.analysis.retransmission && (tcp.flags.syn == 1 || tcp.flags.fin == 1 || tcp.flags.reset == 1) && tcp.port == 80" -T fields -e tcp.flags.syn -e tcp.flags.fin -e tcp.flags.reset -e frame.time | while read s f r t; do ((c=$c+$s-$f-$r)); echo $c $s $f $r $t;done | sort -nk1


One other thought. If you are interesting in the number of connections would it make more sense to filter on SYN-ACKs instead of SYN's?


For the record I am using Ubuntu 16.04 LTS (Xenial Xerus)



On 05/22/2016 05:00 AM, wireshark-users-request@xxxxxxxxxxxxx wrote:

I have been looking into an issue where I suspect that the client can?t
connect to a proxy server due to the limit of concurrent connections.

As I have a full packet capture of such an incident I was looking for a
way to make a graph of the amount of connections over the duration of the
packet capture.



I could do a rough estimate if I filter with:

((tcp.flags.syn == 1) || (tcp.flags.fin == 1) || (tcp.flags.reset == 1))
&& (tcp.dstport == 80)



But is there a way to calculate the concurrent sessions?



Regards,

Hugo.