Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2022-05-28 15:13:17 +0000

Chuckc gravatar image

The data displayed in Statistics->Conversations or the tshark -z conv,.. tables is calculated and stored in the conversation_table.h and displayed by tap-iousers.c:

/** Conversation information */
typedef struct _conversation_item_t {
    ct_dissector_info_t *dissector_info; /** conversation information provided by dissector */
    address             src_address;    /** source address */
    address             dst_address;    /** destination address */
    endpoint_type       etype;          /** endpoint_type (e.g. ENDPOINT_TCP) */
    guint32             src_port;       /** source port */
    guint32             dst_port;       /** destination port */
    conv_id_t           conv_id;        /** conversation id */

    guint64             rx_frames;      /** number of received packets */
    guint64             tx_frames;      /** number of transmitted packets */
    guint64             rx_bytes;       /** number of received bytes */
    guint64             tx_bytes;       /** number of transmitted bytes */

    nstime_t            start_time;     /** relative start time for the conversation */
    nstime_t            stop_time;      /** relative stop time for the conversation */
    nstime_t            start_abs_time; /** absolute start time for the conversation */
} conv_item_t;

Some of the items happen to align with Wireshark display fields but it's not a one-to-one match.

The data displayed in Statistics->Conversations or the tshark -z conv,.. tables is calculated and stored in the conversation_table.h and displayed printed by tap-iousers.c:

/** Conversation information */
typedef struct _conversation_item_t {
    ct_dissector_info_t *dissector_info; /** conversation information provided by dissector */
    address             src_address;    /** source address */
    address             dst_address;    /** destination address */
    endpoint_type       etype;          /** endpoint_type (e.g. ENDPOINT_TCP) */
    guint32             src_port;       /** source port */
    guint32             dst_port;       /** destination port */
    conv_id_t           conv_id;        /** conversation id */

    guint64             rx_frames;      /** number of received packets */
    guint64             tx_frames;      /** number of transmitted packets */
    guint64             rx_bytes;       /** number of received bytes */
    guint64             tx_bytes;       /** number of transmitted bytes */

    nstime_t            start_time;     /** relative start time for the conversation */
    nstime_t            stop_time;      /** relative stop time for the conversation */
    nstime_t            start_abs_time; /** absolute start time for the conversation */
} conv_item_t;

Some of the items happen to align with Wireshark display fields but it's not a one-to-one match.