Filter first and last packet in all conversations
I would like a display filter to grab only the first and last packets in every conversation in the capture. Is this possible?
This display filter will show all the first captured packet per TCP stream: tcp.time_relative == 0
Thus including streams that were already active when the capture started.
For the last packets I don’t know a single display filter option. The most reliable would be the maximum value of tcp.time_relative per stream.
What comes close is filter on FIN or RESET tcp.flags & 5
And for a quick start-to-end impression, add SYN: tcp.flags & 7
But then the last ACK to FIN would be filtered out and of course none of the streams that remained active when the capture ended.
For small captures you can add the column tcp.time_relative and sort on the column tcp.stream.
An alternative would be to use tshark, sort on tcp.stream and frame.number and use some (awk) script to filter out first and last packets per stream.
Since we're talking about TCP connections here (not part of the question, but clarified in a comment) the start would be identified by the SYN flag and the end by the FIN or RES flag. Together with the generated stream # this should be it.
Asked: 2024-04-26 02:40:03 +0000
Seen: 253 times
Last updated: Apr 27
Define "conversation" -
IP,TCP,Foo, ...Each conversation is a set of packets that all have the same
tcp.streamvalue. So i want to see all conversations in the pcap, but only their first and last packets. The idea is to use theframe.time_deltaas a column to see how long each conversation was.I'm new to this still, so I don't know about how other types of streams are handled yet. My class is focused on pretty basic stuff. I just have a hard time not making this a little more complicated than they might otherwise be.
Statistics -> Conversations -> TCP:Durationor tshark-z conv,type[,filter]?Otherwise it could be done with a Lua script to add extra field(s) indicating first and last then filter on the new field(s).