Ask Your Question
0

Exclude streams having retransmissions

asked 2024-11-01 19:38:42 +0000

noobhawk gravatar image

updated 2024-11-01 23:35:33 +0000

Guy Harris gravatar image

I have a lot of streams in my pcap. I am finding a way to exclude the stream where I find a restransmission flag set.

I have tried this below command to find clean streams.

$ tshark -r trace.pcap -Y "not tcp.analysis.retransmission" -T fields -e tcp.stream > streams.out

But when I use the about "streams.out" file to create a filter of clean OR'ed streams using below shell command:

$ cat /tmp/x | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'

and using it directly in the filter give me error:

$ tshark -r trace.pcap -Y "`cat /tmp/x | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'`" tshark: argument list too long.

Thats because I have a huge number of streams in my pcap. Is there a direct way to exclude the streams from the pcap.

edit retag flag offensive close merge delete

Comments

-Y "not tcp.analysis.flags"
Doesn't this match the SYN packet of every stream?

Would it better to get a list of all the streams that include a tcp.analysis.flags packet then delete those from a list of all streams?

Are you open to doing it with a lua script?
using tshark with huge display filters

Chuckc gravatar imageChuckc ( 2024-11-01 20:23:44 +0000 )edit

My list of streams that not include the filter is also a very big list.

noobhawk gravatar imagenoobhawk ( 2024-11-01 20:29:02 +0000 )edit

"argument list too long." is coming from the operating system.
You could break the list into smaller pieces, make multiple output files them merge them with mergecap.

Chuckc gravatar imageChuckc ( 2024-11-01 20:37:17 +0000 )edit

If the argument is only slightly too long, note that you can make a much shorter filter with tcp.stream in {X,...,Y}

johnthacker gravatar imagejohnthacker ( 2024-11-01 21:05:52 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-11-01 23:39:41 +0000

Guy Harris gravatar image

Is this something with which MATE would help?

See also the Wireshark Wiki entry for MATE.

edit flag offensive delete link more

Comments

Pdu tcp_pdu Proto tcp Transport tcp/ip {
    Extract stream From tcp.stream;
    Extract analysis_flags From tcp.analysis.retransmission;
};

Gop tcp_gop On tcp_pdu Match (stream) {
    Start (stream);
    Stop (analysis_flags);
};

Gog tcp_gog {
    Member tcp_gop (stream);
};



C:\>"c:\Program Files\wireshark\tshark.exe" -2 -r .\*v20210721* -w 241101_mate.pcap -Y "mate.tcp_gog.NumOfGops == 1"
 ** (tshark:6164) 23:25:29.786698 [MATE MESSAGE] -- initialize_mate: entering
Chuckc gravatar imageChuckc ( 2024-11-02 04:29:54 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2024-11-01 19:38:42 +0000

Seen: 48 times

Last updated: Nov 01