This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to see the pair flow numbers in the wireshark?

0

Hi I research DDoS attack solution. but, i can't find how to see the pair flow number in the wireshark. pair flow means below example

host 1 --> src(1.1.1.1) dst(2.2.2.2) host 2 --> src(2.2.2.2) dst(1.1.1.1)

host1 and host2 are pair

pair flow number is very important element for DDoS detection. pleases help me.

asked 05 Apr '15, 20:45

Soong's gravatar image

Soong
1333
accept rate: 0%


One Answer:

0

There is no built-in function in Wireshark to do that. You can use tshark and some scripting to find the pair flows.

tshark -nr input.pcap -T fields -e ip.src -e ip.dst -e ip.proto -e tcp.port -e udp.port -E separator=, -E header=y > output.txt

Then parse the output to find the pair flows that match your definition.

BTW: I added the IP protocol (ip.proto) and the ports, because the following paper includes the identical protocol as part of the "pair-flow" definition. If you don't need them, remove the options or ignore them in your script.

http://goo.gl/mJGXZS

Regards
Kurt

answered 06 Apr '15, 03:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 06 Apr '15, 03:18