Ask Your Question
0

Equivalent Wireshark' statistics-conversations in tshark

asked 2022-05-27 14:54:50 +0000

insilicium gravatar image

updated 2022-05-28 11:07:17 +0000

grahamb gravatar image

In Wireshark, after clicking Statistics - Conversations, TCP tab, we obtain the head below:

"Address A","Port A","Address B","Port B","Packets","Bytes","Packets A → B","Bytes A → B","Packets B → A","Bytes B → A","Rel Start","Duration","Bits/s A → B","Bits/s B → A"

We get similar results by tshark using the command line:

tshark -qtu -z conv,tcp -r <file> -Tfields -E header=y -E separator="," -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport

The filter "ip.src" in the tshark gives the equivalent "Address A" in the Wireshark, "tcp.srcport", "the Port A", and so on.

How can we find the other fields like "Rel Start", "Duration", etc.? The tshark's man page does not present any filter list.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-05-28 15:13:17 +0000

Chuckc gravatar image

updated 2022-05-28 15:13:52 +0000

The data displayed in Statistics->Conversations or the tshark -z conv,.. tables is calculated and stored in the conversation_table.h and printed by tap-iousers.c:

/** Conversation information */
typedef struct _conversation_item_t {
    ct_dissector_info_t *dissector_info; /** conversation information provided by dissector */
    address             src_address;    /** source address */
    address             dst_address;    /** destination address */
    endpoint_type       etype;          /** endpoint_type (e.g. ENDPOINT_TCP) */
    guint32             src_port;       /** source port */
    guint32             dst_port;       /** destination port */
    conv_id_t           conv_id;        /** conversation id */

    guint64             rx_frames;      /** number of received packets */
    guint64             tx_frames;      /** number of transmitted packets */
    guint64             rx_bytes;       /** number of received bytes */
    guint64             tx_bytes;       /** number of transmitted bytes */

    nstime_t            start_time;     /** relative start time for the conversation */
    nstime_t            stop_time;      /** relative stop time for the conversation */
    nstime_t            start_abs_time; /** absolute start time for the conversation */
} conv_item_t;

Some of the items happen to align with Wireshark display fields but it's not a one-to-one match.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2022-05-27 14:54:50 +0000

Seen: 476 times

Last updated: May 28 '22

Related questions

Statistics / Conversations / Name Resolution

Tshark conversation view output modification

How do I see Statistics/Conversations/Bytes values in full rather than abbreviated as "N k"?

Capture incoming packets from remote web server

Localhost capturing

How to filter out TCP retransmissions

My UDP packets aren't showing

Using tshark filters to extract only interesting traffic from 12GB trace

Capture Filters - SSL Handshake or HEX

Is it possible to test a capture filter with already captured traffic?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2