This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I filter specific sessions from a single capture?

0

I'm investigating some page timeout issues in a live system. The root problem is a link between Atlassian's Confluence and Jira; pages in the former time out when embedding content from the latter. This data exchange is primarily JSON and XML over HTTP; a typical single page load might result in 50-70 HTTP requests. Both systems are behind an apache proxy.

At the moment, I don't have the luxury of testing this in isolation and I can't replicate it in the lab setup, so I'm running tshark captures between the proxy to the live JIRA system. So far so good; I can use the TCP stats to get the session times and see some requests taking far too long to process, but I can't be sure which are as a result of the specific page load I triggered.

There's a unique cookie that should identify a given session's requests. What I'd like is a filter that shows me the entire TCP session traffic where that specific cookie somewhere in the payload. Is that possible within Wireshark?

asked 02 Oct '13, 04:03

TerryD's gravatar image

TerryD
6113
accept rate: 0%

Maybe I don't quite understand the subtlety of your question...but it sounds like you simply want to isolate a specific TCP connection given a segment with a specific string. If that's the case, there are plenty of ways to do that. What I would do personally is search for the packet containing the cookie. Once you find it, expand the TCP header and look at the value of [Stream Index] - this is Wireshark's way of labeling each unique TCP session. Take that value, and use it as a filter. For example of the stream number is 416, you would use this simple display filter:

tcp.stream == 416

There are other ways to do this, such right-click on the packet containing the cookie value, and select Conversation Filter -> TCP or simply "Follow TCP Stream". But I find the TCP stream number so useful, I have added a custom column to my preferences so I am always aware of it.

(02 Oct '13, 05:37) smp

Hi smp. That's the start of what I'm looking to do. I can use Statistics->Conversation List->TCP to get a list and duration of every TCP session with the capture and I can ,usefully, isolate individual streams. However, what I can't do is isolate all of the streams related to a particular page load.

Every one of those streams will have an HTTP GET request in there and each of those requests will share a single, unique cookie. If Wirehark had a plain english parser, I'd say "Show me all of the full TCP streams that contain HTTP requests with 'SESSIONID=xyz' in the request header". That's the best way I can phrase it.

(02 Oct '13, 08:03) TerryD

Oh, that clarifies it perfectly, and it's a great question. Unfortunately, I don't know the answer so I'm going to sit back and watch for a more knowledgeable response. Sorry I couldn't help further.

(02 Oct '13, 08:10) smp

One Answer:

3

If you look at the SharkFest'11 session on command line scripting from @SYN-bit here, Example 3 (slide 42) Sake shows you to find all sessions with a specific http cookie.

I did a PowerShell version of this at SharkFest'12, the session is here, and you should look around page 30 for the section "All sessions with cookie xxxx".

answered 02 Oct '13, 09:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks! Not only does that answer my question perfectly, but it's introduced me to whole new source of wizardry. (Using tshark to generate a filter for tshark. The mind boggles...)

(07 Oct '13, 01:35) TerryD