Ask Your Question
0

Filter first and last packet in all conversations

asked 2024-04-26 02:40:03 +0000

ThePooBurner gravatar image

I would like a display filter to grab only the first and last packets in every conversation in the capture. Is this possible?

edit retag flag offensive close merge delete

Comments

Define "conversation" - IP, TCP, Foo, ...

Chuckc gravatar imageChuckc ( 2024-04-26 02:59:05 +0000 )edit

Each conversation is a set of packets that all have the same tcp.stream value. So i want to see all conversations in the pcap, but only their first and last packets. The idea is to use the frame.time_delta as a column to see how long each conversation was.

ThePooBurner gravatar imageThePooBurner ( 2024-04-26 03:11:03 +0000 )edit

I'm new to this still, so I don't know about how other types of streams are handled yet. My class is focused on pretty basic stuff. I just have a hard time not making this a little more complicated than they might otherwise be.

ThePooBurner gravatar imageThePooBurner ( 2024-04-26 03:16:08 +0000 )edit

Statistics -> Conversations -> TCP:Duration or tshark -z conv,type[,filter]?

Otherwise it could be done with a Lua script to add extra field(s) indicating first and last then filter on the new field(s).

Chuckc gravatar imageChuckc ( 2024-04-26 06:13:17 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2024-04-27 10:22:29 +0000

André gravatar image

This display filter will show all the first captured packet per TCP stream: tcp.time_relative == 0
Thus including streams that were already active when the capture started.

For the last packets I don’t know a single display filter option. The most reliable would be the maximum value of tcp.time_relative per stream.
What comes close is filter on FIN or RESET tcp.flags & 5
And for a quick start-to-end impression, add SYN: tcp.flags & 7
But then the last ACK to FIN would be filtered out and of course none of the streams that remained active when the capture ended.

For small captures you can add the column tcp.time_relative and sort on the column tcp.stream.

An alternative would be to use tshark, sort on tcp.stream and frame.number and use some (awk) script to filter out first and last packets per stream.

edit flag offensive delete link more
0

answered 2024-04-27 09:01:24 +0000

Jaap gravatar image

Since we're talking about TCP connections here (not part of the question, but clarified in a comment) the start would be identified by the SYN flag and the end by the FIN or RES flag. Together with the generated stream # this should be it.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-04-26 02:40:03 +0000

Seen: 300 times

Last updated: Apr 27 '24