Beside writing a script using tshark, what would you recommend to split a capture to have one capture per conversation, e.g. UDP, TCP, or Ethernet? Would it be possible to create a feature to split the opened capture into each of the conversations? asked 25 Nov '13, 13:40 wnatter |
One Answer:
If you insist on an unscripted, manual method through the GUI, easiest way right now would probably be:
Now, through scripted methods there are a bunch of things you can do. One script I wrote a while ago used the tshark protocol hierarchy printout to dynamically learn each protocol type in the capture to not only save per-protocol capture files but to break them into their own folders where each packet capture file was a given protocol type over a given time period (using a combination of tshark and editcap). Even further than that, I built in tshark -z io,stats counters on a per-protocol basis, per time period, so that it would generate an excel file report of performance metrics over time for any protocol that was supported for it and found in the file. answered 25 Nov '13, 14:19 Quadratic edited 25 Nov '13, 14:21 |
Impressive! I have done the manual GUI way at first, then the script I wrote using tshark (I extract the timeframe of the flow of interest, its basic characteristics like tcp ports, and store it as a unique file with its own info). I think it would make sense to offer the ability to split a capture into all of its individual conversation in a painless manner. I just don't know how to ask for a feature to be added into Wireshark... :-)
In my case, I need to gather captures from multiple points, then I merge them into one so I can observe the movement of packets through the network easily. It's easier to then look at a single flow (src IP, dst IP, src port, dst port, transport) at a time. Right now, I'm looking at 1003 flows taken over 1.5 hours for a single laptop of interest. It's easier to find a needle in an organized haystack...
Oh, to request a feature you can do it as a bug report. Just make sure to list the severity as "enhancement" to mark it as a feature request: https://bugs.wireshark.org/bugzilla/
As for the needle in a haystack, what exactly is the needle you're looking for from the large trace file?