Ask Your Question

Revision history [back]

I think you'll have to use some post processing with a scripting language of your choice.

I would first extract the frame.time and and tcp.flags (using -T fields -e xxx) for packets with a filter of "tcp.flags == 0x2 or tcp.flags.reset == 1" to get the start and end of sessions, then work out the stream indexes for sessions that are less than 30s.

This will give you the stream indexes for sessions that meet the time requirements and these can be used to filter the original file down a bit.

To further filter on session size is a bit trickier, unfortunately the -z conv,tcp option doesn't show the stream indexes although it does show the size. I guess you could do something with the sequence numbers and calculate size that way.