tshark conversation output lopsided

asked 2019-04-07 21:21:34 +0000

rvelez3@fau.edu gravatar image

I am entering: tshark -r file.pcap -q -z conv,udp. Regardless of how long I let the file run, as an example...if bytes sent are 100, the response bytes are 0; if the bytes sent are 0, the response bytes are 100. Completely counter-intuitive to what the command is supposed to do. I could understand if the response is 0 when 100 bytes are sent - perhaps because the destination port is closed, or for any other reason - but when the response bytes are 100 without any bytes having been sent, then I'm lost. Can someone please test the command and let me know what you get.

edit retag flag offensive close merge delete

Comments

Again, works for me. What kind of traffic are you capturing, i.e. what is running on top of UDP?

grahamb gravatar imagegrahamb ( 2019-04-08 09:57:55 +0000 )edit

Thank you Grahamb. I am just reading(-r) an old capture file. The info that I need is bytes sent vs bytes returned in conv,udp. I entered: tshark -r file.pcap -q -z conv,udp. But, as I mentioned, I get either bytes sent, or bytes returned; not bytes sent and bytes returned. How did you enter the command to have it work?

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-08 14:05:00 +0000 )edit

@grahamb With tshark 2.6.7 I get different results for different protocols. RTP seems to be split:

$ tshark -qr pbx.pcapng -z conv,udp
================================================================================
UDP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
37.235.80.213:33526        <-> 10.0.102.1:15228                 0         0    5550   1187700    5550   1187700   883.235112331       110.9790
37.235.80.213:33526        <-> 10.0.102.1:15228              5545   1186630       0         0    5545   1186630   883.385274562       110.8802
10.0.102.1:19746           <-> 10.0.102.101:5004             3155    675170       0         0    3155    675170  1065.538610750        63.0805
10.0.102.1:19746           <-> 10.0.102.101:5004                0         0    3148    673672    3148    673672  1065.192924673        63.4247

While DNS and NTP seem to be fine:

10.0.102.1:59872           <-> 10.0.103.1:53 ...
(more)
SYN-bit gravatar imageSYN-bit ( 2019-04-08 14:21:09 +0000 )edit

So the RTP "conversations" seem to be unidirectional. Odd. I don't have any voip like stuff to look at to comment any further.

grahamb gravatar imagegrahamb ( 2019-04-08 15:17:02 +0000 )edit

I see that it works for you. I'm using tshark version 3.0.0 so the output displays a bit different. Here are a couple of lines which tell my story: 

         <--         -->          total
   frames bytes frames bytes frames bytes rel start duration
    0      0     43     9202  43     9202  0.000535  0.8399  
    42     8988   0     0     42     8988  0.017673  0.8206

tcp produces the same result / issue.

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-08 15:17:18 +0000 )edit
see more comments