tshark conversation output lopsided
I am entering: tshark -r file.pcap -q -z conv,udp. Regardless of how long I let the file run, as an example...if bytes sent are 100, the response bytes are 0; if the bytes sent are 0, the response bytes are 100. Completely counter-intuitive to what the command is supposed to do. I could understand if the response is 0 when 100 bytes are sent - perhaps because the destination port is closed, or for any other reason - but when the response bytes are 100 without any bytes having been sent, then I'm lost. Can someone please test the command and let me know what you get.
Again, works for me. What kind of traffic are you capturing, i.e. what is running on top of UDP?
Thank you Grahamb. I am just reading(-r) an old capture file. The info that I need is bytes sent vs bytes returned in conv,udp. I entered: tshark -r file.pcap -q -z conv,udp. But, as I mentioned, I get either bytes sent, or bytes returned; not bytes sent and bytes returned. How did you enter the command to have it work?
@grahamb With tshark 2.6.7 I get different results for different protocols. RTP seems to be split:
While DNS and NTP seem to be fine:
(more)So the RTP "conversations" seem to be unidirectional. Odd. I don't have any voip like stuff to look at to comment any further.
I see that it works for you. I'm using tshark version 3.0.0 so the output displays a bit different. Here are a couple of lines which tell my story:
tcp produces the same result / issue.