First time here? Check out the FAQ!

Ask Your Question
0

How to make tshark/wireshark to analyze tcp flow group by interface_id
 
  
 
  
 
 
 
 
 
 
    
        
        asked Jul 12 '18  
 
 carle gravatar image  
 
 
 
 
 
Hi guys.
I have a pcapng file with multiple interfaces. 
It seems wireshark/tshark don't consider the interface while decoding the flows,  for example, there are two exactly identical packets but with different interface id, and wireshark will show the second packet as "retransmission/duplicate/out of order".
 
So is there any way to tell wireshark to decode different interfaces separately?
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 2 Answers
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
1
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Jul 12 '18  
 
 NJL gravatar image  
 
 
 
 
 
You should be able to use a Display Filter to select the interface you want and then you can export that data as a separate capture file. Once that is done you can open e.g. two files (one with interface-id1 and another with interface-id2) so you can compare what you're seeing.
This should also be possible using tshark if you prefer commandline.
The reason I write "should" is because I've never actually handled a capture file with captures from multiple interfaces.
Can you share your capture (or some of it)?
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
thanks for your quick reply.
that's workable, but I still prefer someway to show multiple channels in one page.
And sorry, I don't have enough points to upload the file.
carle gravatar imagecarle (
    
        Jul 12 '18
    )
If you can upload the file to cloudshark, google drive, dropbox etc. you can share the link
NJL gravatar imageNJL (
    
        Jul 12 '18
    )
Here's an excellent post covering some of the possible issues with multi-interface captures.
NJL gravatar imageNJL (
    
        Jul 12 '18
    )
I add a file for your reference at https://www.cloudshark.org/captures/4...
carle gravatar imagecarle (
    
        Jul 14 '18
    )
add a comment
 
 
 
 
   
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Jul 12 '18  
 
 cmaynard gravatar image  
 
 
 
 
    
        
        updated Jul 12 '18  
 
 
 
 
 
Currently, there isn't a solution for this; however, there is a mechanism in place that could handle it, but it will require changes to the Wireshark code before this is possible.
 
I don't know which version of Wireshark you're using, but at least with 2.6 or later you can enable the preference to enforce stricter conversation tracking heuristics.
 
The preference can be enabled via Edit -> Preferences -> Protocols -> Enable stricter conversation tracking heuristics.
 
As the tooltip states:
 
Protocols may use things like VLAN ID
or interface ID to narrow the potential
for duplicate conversations. Currently
only ICMP and ICMPv6 use this
preference to add VLAN ID to
conversation tracking
 
Anyway, if someone were to extend the strict_conversation_tracking_heuristics preference to include the interface ID in strict conversation tracking, the problem you're facing could be avoided.  At the very least, I would recommend that you open a Wireshark Bug Report, asking for this to be implemented.  I think this would be very useful.
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
Anyway, very useful information and good to know that, thanks.
carle gravatar imagecarle (
    
        Jul 12 '18
    )
I try the "Enable stricter conversation tracking heuristics" with wireshark 2.6.1, the issue is still there.
carle gravatar imagecarle (
    
        Jul 12 '18
    )
Yes, that's to be expected, but the intent of that preference is to allow things like the interface ID to be used to better track conversations.  As I suggested, a Wireshark Bug Report should be filed to enhance strict_conversation_tracking_heuristics to handle interface ID's as well, especially since that's the intent of that preference.
cmaynard gravatar imagecmaynard (
    
        Jul 13 '18
    )
I see, thanks.
carle gravatar imagecarle (
    
        Jul 13 '18
    )
I do want to stress the importance of filing bugs to fix/enhance Wireshark.  First, if bugs are not filed, then developers may not even be aware of problems and second, although they may be aware of limitations such as this, if nobody cares much about the limitations, then there's less motivation to fix/enhance them.  All developers are volunteers with only so much time to dedicate on Wireshark development, so while "the squeaky wheel gets the grease" isn't necessarily true, the quiet wheel almost certainly won't get any grease.
cmaynard gravatar imagecmaynard (
    
        Jul 13 '18
    )

            
                see more comments
            
        
 
 
 
 
 
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 

        
        
            1 follower
        
    
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Jul 12 '18  
 
 
        Seen: 1,184 times 
 

        Last updated: Jul 12 '18 
 
 
 
Related questions
 
 
 Hiring a WireShark Expert 
 
 Why I cannot see anything when I use this wlan.fc.type filters? 
 
 Unrelated interface names 
 
 Why Did The Frame Ethernet Interface \Device\NPF {xxxetc.}Change? 
 
 damaged pcapng file - interface index problem