Revision history [back]

Equivalent Wireshark' statistics-conversations in tshark

In Wireshark, after clicking Statistics - Conversations, TCP tab, we obtain the head below:

Address A","Port A","Address B","Port B","Packets","Bytes","Packets A → B","Bytes A → B","Packets B → A","Bytes B → A","Rel Start","Duration","Bits/s A → B","Bits/s B → A"

We get similar results by tshark using the command line: shark -qtu -z conv,tcp -r <file> -Tfields -E header=y -E separator="," -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport

The filter "ip.src" in the tshark gives the equivalent "Address A" in the Wireshark, "tcp.srcport", "the Port A", and so on.

How can we find the other fields like "Rel Start", "Duration", etc.? The tshark's man page does not present any filter list.

Equivalent Wireshark' statistics-conversations in tshark

In Wireshark, after clicking Statistics - Conversations, TCP tab, we obtain the head below:

Address
"Address A","Port A","Address B","Port B","Packets","Bytes","Packets A → B","Bytes A → B","Packets B → A","Bytes B → A","Rel Start","Duration","Bits/s A → B","Bits/s B → A"A"

We get similar results by tshark using the command ~~line: shark~~ line:

tshark -qtu -z conv,tcp -r <file> -Tfields -E header=y -E separator="," -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstporttcp.dstport

The filter "ip.src" in the tshark gives the equivalent "Address A" in the Wireshark, "tcp.srcport", "the Port A", and so on.

How can we find the other fields like "Rel Start", "Duration", etc.? The tshark's man page does not present any filter list.