This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Beside writing a script using tshark, what would you recommend to split a capture to have one capture per conversation, e.g. UDP, TCP, or Ethernet? Would it be possible to create a feature to split the opened capture into each of the conversations?

asked 25 Nov '13, 13:40

wnatter's gravatar image

wnatter
1112
accept rate: 0%


If you insist on an unscripted, manual method through the GUI, easiest way right now would probably be:

  • Go to Statistics > Conversations
  • Right-click a conversation, and select "Apply as Filter"
  • Go to File > Export Specified Packets > Displayed

Now, through scripted methods there are a bunch of things you can do. One script I wrote a while ago used the tshark protocol hierarchy printout to dynamically learn each protocol type in the capture to not only save per-protocol capture files but to break them into their own folders where each packet capture file was a given protocol type over a given time period (using a combination of tshark and editcap). Even further than that, I built in tshark -z io,stats counters on a per-protocol basis, per time period, so that it would generate an excel file report of performance metrics over time for any protocol that was supported for it and found in the file.

permanent link

answered 25 Nov '13, 14:19

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 25 Nov '13, 14:21

Impressive! I have done the manual GUI way at first, then the script I wrote using tshark (I extract the timeframe of the flow of interest, its basic characteristics like tcp ports, and store it as a unique file with its own info). I think it would make sense to offer the ability to split a capture into all of its individual conversation in a painless manner. I just don't know how to ask for a feature to be added into Wireshark... :-)

In my case, I need to gather captures from multiple points, then I merge them into one so I can observe the movement of packets through the network easily. It's easier to then look at a single flow (src IP, dst IP, src port, dst port, transport) at a time. Right now, I'm looking at 1003 flows taken over 1.5 hours for a single laptop of interest. It's easier to find a needle in an organized haystack...

(25 Nov '13, 14:48) wnatter

Oh, to request a feature you can do it as a bug report. Just make sure to list the severity as "enhancement" to mark it as a feature request: https://bugs.wireshark.org/bugzilla/

As for the needle in a haystack, what exactly is the needle you're looking for from the large trace file?

(25 Nov '13, 15:14) Quadratic
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×34

question asked: 25 Nov '13, 13:40

question was seen: 1,928 times

last updated: 25 Nov '13, 15:14

p​o​w​e​r​e​d by O​S​Q​A