This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Show tcp.stream index when using tshark -z conv,tcp

0

Is there anyway to show the tcp.stream index using the tshark "-z conv,tcp" option?

asked 30 Jan '15, 14:52

heathm's gravatar image

heathm
6112
accept rate: 0%

I'm running Wireshark 1.99.1 downloaded Jan. 30, 2015. The output of tshark -z conv,tcp is pretty useless for tracking down problems since it doesn't show any TCP ports nor does it show the TCP stream. If I see something odd in a particular stream, how do I then track down the details of that stream?

(30 Jan '15, 15:31) heathm

In my 1.99.7 version it's displaying the TCP ports like seen below

D:\Traces>tshark -r test.pcap -qz conv,tcp | more

TCP Conversations Filter:<no filter=""> [...]

172.16.0.130:51534 <-> 172.16.0.251:80

(02 Jul '15, 00:24) Landi

One Answer:

0

With Tshark 1.8.2, GNU sed 4.2.1 (well, you could do without), GNU awk 4.0.1 (nothing fancy here as well) in the GNU bash 4.2.37 (and nothing fancy here as well), the following hack "works for me", but is neither fast nor pretty, but can be written as a one-liner...

tshark -nr input.pcap -z conv,tcp -q | sed '1,5d;$d' | awk -F ':| +' '{print $1 " " $2 " " $4 " " $5 " " $11 " " $12 " " $0}' | while read src sport dst dport total start all ; do stream=`tshark -nr input.pcap -R "ip.addr eq $src and ip.addr eq $dst and tcp.port eq $sport and tcp.port eq $dport and frame.time_relative eq $start" -T fields -e tcp.stream` ; echo "$all $stream" ; done

It is very slow (the second tshark call reads the whole file again, each time), and rather error-prone, but you might get the idea.

answered 01 Jul '15, 23:00

nrs01's gravatar image

nrs01
62
accept rate: 0%

edited 02 Jul '15, 00:12