I did it once that way: Filter on every packet that has set one of these Flags active: SYN, RST or FIN
Then Apply a column on that Flags and one fpr the ACK Flag. After that you can export that view as an CSV file.
And when you import that file to for example to EXCEL you can count with a macro the number of concurrent sessions and that number you can draw.
This can be a solution. You also can try it in anotehr way by using tshark and some shell environments like powershell or bash. But Wireshark itsself can´t help you at the moment with that question. As there is no explicit field that counts that number.
Hope this answer helps you.
Bear in mind that the above method intrinsically ignores all sessions established before the capture has started - depending on your use case, the significance may be anywhere between "negligible" and "fundamentally wrong".
I would use a (Lua) post-dissector which would keep track of the number of sessions and add a generated field with their current count to the dissection tree of each TCP packet. You could then make a graph inside Wireshark where Y value would be the AVG value of that field.
As each packet is dissected multiple times, such postdissector would have to maintain a global table (array), such as sess_cnt[], indexed by frame.number, to guarantee that it would calculate the value for each packet only once - all packets are dissected in sequence when Wireshark starts.
You would have to track two global values - max_tcp_stream and stream_count, both initialized to 0.
Whenever there would be no row ...
Asked: 2017-12-08 16:45:32 +0000
Seen: 2,866 times
Last updated: Dec 10 '17
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
