Ask Your Question
0

how do I filter conversation -conv- command in Tshark version 3.0.0

asked 2019-04-04 18:03:29 +0000

rvelez3@fau.edu gravatar image

updated 2019-04-04 18:13:51 +0000

any way of filtering out the "Relative Start" and "Duration" fields in the conv output of Tshark version 3.0.0

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-04-05 19:01:26 +0000

cmaynard gravatar image

I don't know if you can do this in Wireshark (I don't think so), but you can get pretty good results using tshark I think. For example:

tshark -r file.pcap -z conv,tcp -q

This will produce output such as follows:

================================================================================
TCP Conversations
Filter:<no filter="">
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
192.168.112.101:39611      <-> 69.4.231.52:http             20545  26190636   13022    707804   33567  26898440     0.000000000        32.8158
================================================================================

With the capture file I tested, there was only a single TCP connection; therefore there's only a single row of data in this output.

edit flag offensive delete link more

Comments

I think the OP wants to drop the specified columns from the output, I don't think this is possible.

grahamb gravatar imagegrahamb ( 2019-04-05 19:23:03 +0000 )edit

Thank you for responding to my question. Please test udp on your end and tell what you get. I'm entering: tshark -r file.pcap -q -z conv,udp. However, I'm getting a lot of repeated conversations...between the same source/destination ip address. Is it because of the Relative Start field?

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-06 15:40:04 +0000 )edit

The port numbers are probably different, so they would constitute different conversations.

cmaynard gravatar imagecmaynard ( 2019-04-06 16:22:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-04-04 18:03:29 +0000

Seen: 58 times

Last updated: Apr 05