Is there any concept of flow id in tshark ? When i searched for filters, i found out that tcp.stream exists but its equivalent for udp i.e udp.stream doesn't exist. When i open a pcap, by default it shows the frame number, ip addresses, info etc. In one column i also need the flow id of each packet alongwith the frame number. Does tshark provide such support ? If not, Is there any way i can do this ? I have written a program where i am reading a pcap file, packet by packet and i need the flowid for each packet read. If i use tshark command as it displays the packet number alongwith some other details, but i want the flowid also to be displayed which i can read in my program. any help will be greatly appreciated. thanks. asked 20 Oct '12, 22:06  viks |
One Answer:
Unfortunately, there is no "UDP stream/flow" recorded in Wireshark. The best you can do is to print the UDP conversations and then filter on the connection parameters (IP + port) with a script in a second run.
Regards answered 29 Oct '12, 04:20  Kurt Knochner ♦ @kurt : thanks for the reply. for the tshark command that u told, i will get the src(ip+port), dest(ip+port) and that alongwith transport proto (tcp/udp) will give me the 5tuple. Now how to calculate flowid from that. Can you please let me know how to calculate that using some script or c code ? Is there some already existing library which provides this functionality ? (30 Oct '12, 00:16) viks @viks, there is no "flowid" or anything similar, neither in UDP nor in Wireshark. However, you can "simulate" that in your script. As soon as the first packet with a yet unseen 5-tupel appears, you remember that conversation as "flow" number #1, then you proceed in the same way with all other conversations. Usually this is done with a hash table where the 5-tuple is the key to the hash table. (30 Oct '12, 03:05) Kurt Knochner ♦ |
i just need the udp flow id (similar to that given by tcp.stream for the tcp flows) for the udp packets. plz let me know how to do that ? thanks