|
Hi all, I haven't found a good way to do this yet. Is there a way to filter out TCP sessions that have no payload? (Basically, sessions that have the 3-way handshake and then immediately close via FIN or RST that didn't actually transmit any meaningful data). Thanks -VK |
|
Unfortunately, display filters work on individual packets, and have no state, so there's no simple display filter to do that. I don't know enough about MATE to say whether it would support that. |
|
You could use tshark to create that filter for you :-) To find all TCP packets with data, use: ... we're only interested in the ID's of the TCP sessions that contain data: Then use some shell magic to create a list of all these session ID's: ... and transform it into a display filter: You can then use that filter in Wireshark. Or you can create a new tracefile with only the sessions containing data in one run with: Hope this helps! That will work for me! Thanks! -VK
(05 Jan '12, 08:22)
VaporKnight
Hmm.. Actually this didn't work. When I do the -e tcp.stream I don't get Stream ID's returned. I just get a lot of empty lines. When I do things like tcp.seq or tcp.ack I do see some values. So this seems specific to tcp.stream. In wireshark I can see the steam IDs. -VK
(05 Jan '12, 11:38)
VaporKnight
This works for me with TShark 1.7.0 (SVN 39768) in Windows 7 (64-bit). I ran: tshark -r nfs_bad_stalls.cap -R "tcp.len>0" -T fields -e tcp.stream |\ sort -n | uniq |\ awk '{printf("%stcp.stream==%d",sep,$1);sep="||"}' which yields:
(05 Jan '12, 12:06)
bstn
Hmm.. maybe need to update then. Running tshark 1.0.2 on Linux. I'll try that. -VK
(05 Jan '12, 12:09)
VaporKnight
Works on 1.6.0 Thanks! -VK
(05 Jan '12, 12:16)
VaporKnight
Yes, the
(05 Jan '12, 12:24)
Guy Harris ♦♦
showing 5 of 6
show 1 more comments
|
