This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I need monitoring tcp-, udp-session at network segment. How can I do it?

0

Hello,

Can i to monitor tcp-, udp-session with wireshark?

  1. session per second.
  2. syssion by hour, by day?

Thank's

asked 06 Jun '13, 04:02

junglend's gravatar image

junglend
1112
accept rate: 0%

edited 10 Jun '13, 08:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

If I understand the question, you want to graph the number of sessions establishes per second? The number of sessions that are being established per second? Could you reword this question?

(06 Jun '13, 18:11) Quadratic

So, it can no graf. I want see tcp-session statistics in any kind, in graf possible too.

(06 Jun '13, 22:35) junglend

But a graph of what specifically? Do you want to see TCP session setup attempts over time? And for UDP, what exactly do you want graphed over time (there's no such thing as a UDP session technically)?

(07 Jun '13, 06:31) Quadratic

2 Answers:

1

Wireshark is not a monitoring tool, it's an analysis tool. It keeps state information to do the best dissection of packets it possibly can. This means its memory use will grow over time and it will run out of memory sooner or later.

So if you need a long-term monitoring solution, wireshark is not the way forward. Have a look at ntop which might suit you better. Also, check whether your networking devices are capable of exporting NetFlow, sFlow or IPFIX data. If they are, you might want to look into a netflow collector to collect the session data and present it to you in graphs.

answered 08 Jun '13, 01:27

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank's. 1.I know that wireshark is a not minitoring tool. But it tool has section "statistics" in menu. And i mean that in this section i can view information about tcp-session. 2. So, i'm have not netflow unfortunately. And i find tool, possible that view session statistics.

(09 Jun '13, 22:57) junglend

1

You could run tshark to generate conversation statistics and then use Excel (or a perl/python/whatever script) to generate the sessions per minute/hour.

tshark -nr input.pcap -q -z conv,tcp
tshark -nr input.pcap -q -z conv,udp

Sample Output:

================================================================================
TCP Conversations
Filter:<no filter="">
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
172.16.29.25:32882   <-> 172.16.50.74:3128        314    297506     252     32097     566    329603    33,175361000       313,6527
172.16.29.25:32881   <-> 172.16.50.74:3128        308    279108     228     38839     536    317947    31,675055000       315,1533
172.16.29.25:32883   <-> 172.16.50.74:3128        213    213803     187     19472     400    233275    34,542359000       151,6759
172.16.29.25:32897   <-> 172.16.50.74:3128        198    152229     177     17003     375    169232   185,180690000       161,6476
172.16.29.25:32893   <-> 172.16.50.74:3128        156    120221     111     22966     267    143187    91,233185000       255,5950

Then load the output of those commands into Excel (or your script) and generate the connections per time interval statistics. Please use the column "Relative Start" for your statistics.

If you need a solution that does the statistics "on-the-fly" (monitoring the interface and continuously counting the sessions) or for a very long time (days, weeks), Wireshark/tshark is the wrong tool for you.

Regards
Kurt

answered 10 Jun '13, 08:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%