I ran the following command.. gunzip -c 201509211400.dump.gz | tshark -nr - -Y "tcp.analysis.retransmission" -T fields -e tcp.stream -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e expert.message > table1.txt 13 197.94.235.198 80 152.188.170.15 43372 Retransmission (suspected) 77 443 40383 Retransmission (suspected) Now i do not understand why there is no IP addresses for tcp streams 77? I want to count tcp retransmission rate for each connection in my pcap file. I am using following method: The above command will give me all tcp streams with retransmissions. Then i am running following command.. tshark -nr file.pcap -Y "tcp.stream = x" -z conv,"tcp" x = one of the streams given by first command then rate = ((no. of times x appear in the first command's o/p)/(total line in the conversation i.e second command o/p)) * 100 Is it the right way? asked 24 Sep '15, 11:53  sahaj |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
