tshark conversation output lopsided

asked 2019-04-07 21:21:34 +0000

rvelez3@fau.edu gravatar image

I am entering: tshark -r file.pcap -q -z conv,udp. Regardless of how long I let the file run, as an example...if bytes sent are 100, the response bytes are 0; if the bytes sent are 0, the response bytes are 100. Completely counter-intuitive to what the command is supposed to do. I could understand if the response is 0 when 100 bytes are sent - perhaps because the destination port is closed, or for any other reason - but when the response bytes are 100 without any bytes having been sent, then I'm lost. Can someone please test the command and let me know what you get.

edit retag flag offensive close merge delete

Comments

Again, works for me. What kind of traffic are you capturing, i.e. what is running on top of UDP?

grahamb gravatar imagegrahamb ( 2019-04-08 09:57:55 +0000 )edit

Thank you Grahamb. I am just reading(-r) an old capture file. The info that I need is bytes sent vs bytes returned in conv,udp. I entered: tshark -r file.pcap -q -z conv,udp. But, as I mentioned, I get either bytes sent, or bytes returned; not bytes sent and bytes returned. How did you enter the command to have it work?

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-08 14:05:00 +0000 )edit

@grahamb With tshark 2.6.7 I get different results for different protocols. RTP seems to be split:

$ tshark -qr pbx.pcapng -z conv,udp
================================================================================
UDP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
37.235.80.213:33526        <-> 10.0.102.1:15228                 0         0    5550   1187700    5550   1187700   883.235112331       110.9790
37.235.80.213:33526        <-> 10.0.102.1:15228              5545   1186630       0         0    5545   1186630   883.385274562       110.8802
10.0.102.1:19746           <-> 10.0.102.101:5004             3155    675170       0         0    3155    675170  1065.538610750        63.0805
10.0.102.1:19746           <-> 10.0.102.101:5004                0         0    3148    673672    3148    673672  1065.192924673        63.4247

While DNS and NTP seem to be fine:

10.0.102.1:59872           <-> 10.0.103.1:53 ...
(more)
SYN-bit gravatar imageSYN-bit ( 2019-04-08 14:21:09 +0000 )edit

So the RTP "conversations" seem to be unidirectional. Odd. I don't have any voip like stuff to look at to comment any further.

grahamb gravatar imagegrahamb ( 2019-04-08 15:17:02 +0000 )edit

I see that it works for you. I'm using tshark version 3.0.0 so the output displays a bit different. Here are a couple of lines which tell my story: 

         <--         -->          total
   frames bytes frames bytes frames bytes rel start duration
    0      0     43     9202  43     9202  0.000535  0.8399  
    42     8988   0     0     42     8988  0.017673  0.8206

tcp produces the same result / issue.

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-08 15:17:18 +0000 )edit

seems this medium is not set up to accept what I tried to type. I typed two lines which show the "lopsidedness" with 0 bytes in one direction and vise versa, as I mentioned earlier.

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-08 15:22:22 +0000 )edit

@rvelez3 Use the "code" button in the editor to apply a fixed format to output text. Even then it tends to wrap, so some careful editing to remove spaces helps.

I'll have to ask again, what protocols are running atop tcp? Can you share a capture file?

grahamb gravatar imagegrahamb ( 2019-04-08 15:25:14 +0000 )edit

As you asked elsewhere, instead of on this question, here is some output using tshark 3.1.0, i.e. current head of master:

                                            |       <-     | |       ->     | |     Total    |   Relative   | Duration |
                                            | Frames Bytes | | Frames Bytes | | Frames Bytes |    Start     |          |
10.190.224.210:20000 <-> 10.190.226.4:20000     59     3482      86    15297     145    18779  14.615878000   180.4901
10.190.225.66:20000  <-> 10.190.226.4:20000     30     1722      35     4192      65     5914   2.475704000   198.0054
10.190.225.178:20000 <-> 10.190.226.4:20000     26     1482      26     1944      52     3426   0.000000000   174.1884
10.190.225.114:20000 <-> 10.190.226.4:20000     17     1055      32     7371      49     8426  30.465590000    80.8078
10.190.0.2:20000     <-> 10.190.226.4:20000     24     1539      24     1485      48     3024   3.464906000   191.9091
10.190.225.130 ...
(more)
grahamb gravatar imagegrahamb ( 2019-04-08 16:56:31 +0000 )edit

Hi. Are you able to run the conv,udp command in version 3.0.0 of tshark. This would help me determine what is wrong with the way I'm approaching this. Also, perhaps you can tell me how to run version 3.1.0 as you did yesterday; I'm guessing I would have to tell the command line interface to run 3.1.0?? Thank you for assistance with this.

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-09 16:39:01 +0000 )edit

I use 3.1.0 because I'm developing on the trunk, not because there's anything wrong with 3.0.0. You can try the automated builds from [here] (https://www.wireshark.org/download/au...).

You can install multiple versions of Wireshark, you need to use a different install directory for each version. To run any version on the command line simply prefix the command, e.g. tshark with the path to it, e.g. "C:\Program Files\Wireshark-3.1.0\tshark.exe".

grahamb gravatar imagegrahamb ( 2019-04-09 17:03:27 +0000 )edit

Hi Grahamb. Hope you have time for a question. Regarding the file I was reading...the basis of my questions...I think the reason there were no return bytes is because I was reading an old pre-captured darknet file, and as you probably know "nothing comes out of the darknet", hence no return bytes. Does this make sense to you. My question is: there is a tshark command which routes a file to Excel. Is there a way to geo position an IP address directly from Excel ?

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-11 17:28:05 +0000 )edit

It's entirely possible to only capture data in one direction for many reasons. The -z,conv report can only report on what it finds in the capture file.

You should create a new question for your Excel query, similarly for your GEOIP question Have you searched for previous questions on these subjects?

grahamb gravatar imagegrahamb ( 2019-04-11 17:33:04 +0000 )edit

Will search. Thank you for your support !!!

rvelez3@fau.edu gravatar image[email protected] ( 2019-04-11 17:37:02 +0000 )edit
add a comment