This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use Tshark to Produce Conversation list and TCP Analysis Information

I can produce conversation and traffic information with "tshark -r filename.pcap -q -z conv,tcp -n" and I can look for TCP problem indicators with filters like tcp.analysis.retransmission or tcp.analysis.fast_retransmission or tcp.analysis.zero_window. I would like to be able to produce a conversation list with traffic and the number of instances a problem indicator occured but I do not know if this is possible.

It would be great to be able to get a text file that can be parsed automatically so I can be alerted to this type of information. In a perfect world, I would also have RTT type information on a per session basis as well.

stats tshark analysis conversationlist

asked 25 Apr '14, 10:06

Reece
26●1●1●3
accept rate: 0%

One Answer:

You can do this:

tshark -nr input.pcap -Y "tcp.analysis.retransmission or tcp.analysis.fast_retransmission or tcp.analysis.zero_window" -T fields -e tcp.stream

Then use the streams creates with the first command (you'll have to eliminate duplicates for this step) and build a filter for the second command (can be done with a script).

tshark -nr input.pcap -Y "tcp.stream == aaa or tcp.stream == bbb" -q -z conv,tcp

If -Y does not work, try -R instead.

Now, you have two outputs.

First: The amount of errors per stream (stream number)
Second: The conversation list for those streams

You can "merge" the two with a script and create whatever output/result you may need.

Regards
Kurt

answered 26 Apr '14, 12:44

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

This is really helpful - thankyou.

I can't seem to get the filter working with the conv,tcp command though, maybe this is pilot error.

As I want to collect stats in both well behaved and badly behaved streams it would be ideal if I could either output the conv,tcp command without sorting (so I can match line number to stream error) or to include the stream number in the table output. This doesnt seem to be possible, however, I think I can probably match the two tables with the following:

tshark -nr input.pcap -R "tcp.analysis.retransmission or tcp.analysis.fast_retransmission or tcp.analysis.zero_window" -e tcp.stream -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e expert.message -T fields

(28 Apr '14, 02:33) Reece

maybe this is pilot error.

pilot error? Did you try to use that filter in Riverbed/Cascade Pilot? If so, I'm not sure if the filters are compatible with the ones of wireshark/tshark.

I think I can probably match the two tables with the following:

looks O.K.

(28 Apr '14, 08:23) Kurt Knochner ♦

I think Reece was using the term "pilot error" as defined at http://dictionary.reference.com/browse/pilot+error.

(28 Apr '14, 08:57) cmaynard ♦♦

Ah, I didn't know that one. Thanks for the hint....

(28 Apr '14, 14:46) Kurt Knochner ♦

Sorry for the oblique language and thanks for looking into this. I am happy enough with this to proceed. it would be nice to be able to do this with a single command to reduce load - my files are large - but this will do me.

(29 Apr '14, 10:20) Reece