Ask Your Question

Revision history [back]

Exclude streams having restransmissions

I have a lot of streams in my pcap. I am finding a way to exclude the stream where I find a restransmission flag set.

I have tried this below command to find clean streams.

$ tshark -r trace.pcap -Y "not tcp.analysis.flags" -T fields -e tcp.stream > streams.out

But when I use the about "streams.out" file to create a filter of clean OR'ed streams using below shell command:

$ cat /tmp/x | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'

and using it directly in the filter give me error:

$ tshark -r trace.pcap -Y "`cat /tmp/x | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'`" tshark: argument list too long.

Thats because I have a huge number of streams in my pcap. Is there a direct way to exclude the streams from the pcap.

Exclude streams having restransmissions

I have a lot of streams in my pcap. I am finding a way to exclude the stream where I find a restransmission flag set.

I have tried this below command to find clean streams.

$ tshark -r trace.pcap -Y "not tcp.analysis.flags" tcp.analysis.retransmission" -T fields -e tcp.stream > streams.out

But when I use the about "streams.out" file to create a filter of clean OR'ed streams using below shell command:

$ cat /tmp/x | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'

and using it directly in the filter give me error:

$ tshark -r trace.pcap -Y "`cat /tmp/x | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'`" tshark: argument list too long.

Thats because I have a huge number of streams in my pcap. Is there a direct way to exclude the streams from the pcap.

click to hide/show revision 3
None

updated 2024-11-01 23:35:33 +0000

Guy Harris gravatar image

Exclude streams having restransmissions

I have a lot of streams in my pcap. I am finding a way to exclude the stream where I find a restransmission flag set.

I have tried this below command to find clean streams.

$ tshark -r trace.pcap -Y "not tcp.analysis.retransmission" -T fields -e tcp.stream > streams.out

But when I use the about "streams.out" file to create a filter of clean OR'ed streams using below shell command:

$ cat /tmp/x | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'

and using it directly in the filter give me error:

$ tshark -r trace.pcap -Y "`cat /tmp/x | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'`" tshark: argument list too long.

Thats because I have a huge number of streams in my pcap. Is there a direct way to exclude the streams from the pcap.