The following will give you a running count of the number of connections
in column 1. You can then use your favorite graphing routine to graph
the count. This assumes bash or some similar shell command.
c=0 tshark -r foo.pcap -Y "not tcp.analysis.retransmission &&
(tcp.flags.syn == 1 || tcp.flags.fin == 1 || tcp.flags.reset == 1) &&
tcp.port == 80" -T fields -e tcp.flags.syn -e tcp.flags.fin -e
tcp.flags.reset | while read s f r; do ((c=$c+$s-$f-$r)); echo $c $s $f
$r;done > foo
This will give you a sorted list of the number of connections along with
the time stamp from the trace. This might be easier to correlate with
any proxy logs.
$ c=0 tshark -r foo.pcap -Y "not tcp.analysis.retransmission &&
(tcp.flags.syn == 1 || tcp.flags.fin == 1 || tcp.flags.reset == 1) &&
tcp.port == 80" -T fields -e tcp.flags.syn -e tcp.flags.fin -e
tcp.flags.reset -e frame.time | while read s f r t; do
((c=$c+$s-$f-$r)); echo $c $s $f $r $t;done | sort -nk1
One other thought. If you are interesting in the number of connections
would it make more sense to filter on SYN-ACKs instead of SYN's?
For the record I am using Ubuntu 16.04 LTS (Xenial Xerus)
On 05/22/2016 05:00 AM, wireshark-users-request@xxxxxxxxxxxxx wrote:
I have been looking into an issue where I suspect that the client can?t
connect to a proxy server due to the limit of concurrent connections.
As I have a full packet capture of such an incident I was looking for a
way to make a graph of the amount of connections over the duration of the
packet capture.
I could do a rough estimate if I filter with:
((tcp.flags.syn == 1) || (tcp.flags.fin == 1) || (tcp.flags.reset == 1))
&& (tcp.dstport == 80)
But is there a way to calculate the concurrent sessions?
Regards,
Hugo.