Ask Your Question

Revision history [back]

tshark filter then remove packet and move on

Hi,

I created a small python code to parse a pcap file and count the number of DSCP value, it is working fine, i obtain something like that:

--------------------------------------
DSCP      Value     Packet num.    %         
--------------------------------------
CS0       0         21097          16        
CS1       8         53672          41        
AF11      10        0              0         
AF12      12        0              0         
AF13      14        0              0         
CS2       16        0              0         
AF21      18        0              0         
AF22      20        0              0         
AF23      22        0              0         
CS3       24        0              0         
AF31      26        147            0         
AF32      28        0              0         
AF33      30        0              0         
CS4       32        0              0         
AF41      34        54074          41        
AF42      36        0              0         
AF43      38        0              0         
CS5       40        0              0         
44        44        0              0         
EF        46        0              0         
CS6       48        417            0         
CS7       56        0              0         
--------------------------------------
Now i am trying to use the same semantic to parse a pcap file and the idea is to work like a qos policy-map, with class-map. my code looks like this:
request = "tshark -r " + pcap + " -q -z io,stat,0,\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ af31 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ af22 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ af11 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ cs1 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ default + ")'"

with each variable af31, af22, af11 ... behing string variable like this:

af11 = "(tcp.srcport in { 21 }) or (tcp.dstport in { 21 }) or (tcp.srcport in { 51909 }) or (tcp.dstport in { 51909 }) or (ip.dst == 192.168.85.131) or (ip.dst == 192.168.65.105) or (ip.dst == 192.168.193.50) or (ip.dst == 192.168.246.120) or (ip.src == 192.168.85.131) or (ip.src == 192.168.65.105) or (ip.src == 192.168.193.50) or (ip.src == 192.168.246.120) or (tcp.srcport in { 2051 }) or (tcp.dstport in { 2051 }) or (ip.dst == 192.168.19.213) or (ip.dst == 192.168.114.201) or (ip.dst == 192.168.119.11) or (ip.dst == 192.168.114.200) or (ip.dst == 192.168.119.12) or (ip.dst == 192.168.19.214)"

cs1 = "(tcp)"

This is working but not in a policy-map way, for each "count" i would like to mark that packet as being treated, and so that once it goes in a filter, it can't be counted in another filter later

For example in my script the cs1 variable is matching too many things, even though tshark is just applying the filter a correct way, i would like that every packet that has matched something before that filter to be removed from the next filter check.

So the order of my filter is important, and each packet should be matched only once.

Maybe a solution would be to use my first filter, count the packets, then remove those packets from the big pcap file, and then use my second filter etc... but it seems a bit overkill no ?