I understand that "follow tcp stream" allows packets from a single tcp stream to be displayed in order. I captured a Bittorrent traffic that contains more than 30 tcp streams. How can I display all packets from all the tcp streams in order at the same time? asked 21 Apr '11, 07:47  catfish |
One Answer:
"Follow TCP Stream" selects one TCP conversation and opens an additional window with the payload of that one conversation. So I think what you want to do is to have all conversations display their reconstructed payload, and not just the packets themselves (because for that I'd simply answer: "just filter on tcp" :-)) As far as I know there is now way to open multiple payload windows without manual interaction; maybe tshark can help. Synbit? Any ideas? :-) answered 21 Apr '11, 08:01  Jasper ♦♦ showing 5 of 11 show 6 more comments |
Thanks for your reply.
What I really want to do is to put all the packets from all the tcp streams shown in the packet list pane IN ORDER (as seen at application level), so my program can analyze them. I don't need to open multiple payload windows. Using filter "tcp" does not resolve packet ordering problem, right?
Using a filter like this, "tcp.stream eq 0 or tcp.stream eq 1 ... or tcp.stream eq n" seems to do the trick.
I don't think that filter is eliminating retransmissions or reordering out-of-order packets for you though...
(@catfish: I converted your "answers" to "comments, as that is the way this Q&A site works best, see the FAQ)
Follow TCP stream does not put the packet list in tcp sequence number order. It just filters out one tcp stream and then, for that stream, puts the tcp payload in order as the application would have received it from the tcp buffers.
Does your program need the network packets as input, or does it need the tcp payload as input. In case of the first, that is really not easily done when there are out-of-order packets, duplicates, retransmissions and maybe even missing packets.
In case of the latter, you could use tcpflow
I know this conversation is quite old, but SYN-bit's answer caught my attention, because I really need a solution like the one he called "really not easily done" and I'd like to know whether somebody knows how to do thos with missing packets, retransmissions, etc
what about the mentioned tcpflow?
According to the documentation this tool can only capture data not analyse cap/pcap files or did I miss something?
it can also read pcap files (option -r).
Anyway, I believe the current wireshark/tshark "Follow TCP stream" function, does take care about missing and out-of-order frames, at least that's what I have seen with a small test capture file.
Okay, I missed that there is a new branch of tcpflow. Well, I guess I'll try the current version of wireshark first. By the way is there a tcpflow version for windows?
google says so ;-))