How to filter TCP conversations without any error packet ?

Question

When investigating a large trace, it is easy to point an error packet filtering on tcp.analysis.flags and "Follow TCP stream" for some of them.

Is there a way to get a summary of TCP Conversations for only TCP streams that contain no error packet ?

I got the following idea but have no clue how to implement it:

get the list of tcp.stream IDs for packets filtered on tcp.analysis.flags
exclude all packets for that streams

Answer 1

I got the following idea but have no clue how to implement it:

Please take a look at the examples in the answers of the following questions.

https://ask.wireshark.org/questions/14811/follow-tcp-stream-with-tshark-still-can-not-in-batch-mode
https://ask.wireshark.org/questions/4677/easy-way-to-save-tcp-streams

Both examples wil work on Linux. You'll have to adapt it to your use case.

for stream in `tshark -nr input.pcap -Y "tcp.analysis.flags" -T fields -e tcp.stream | sort -n | uniq`
do
    echo $stream
    tshark -r input.pcap -w stream-$stream.pcap -Y "tcp.stream eq $stream"
done

Then merge all of the pcap files with mergecap and create the conversation statistics in Wireshark or tshark.

tshark -nr merged.pcap -q -z conv,tcp > output.txt

You can also export the conversation stats in the loop

for stream in `tshark -nr input.pcap -Y "tcp.analysis.flags" -T fields -e tcp.stream | sort -n | uniq`
do
    echo $stream
    tshark -nr input.pcap -Y "tcp.stream eq $stream" -q -z conv,tcp >> output.txt
done

Regards
Kurt

Answer 2

Hm, you could just try to do it this way, using the standard Wireshark statistics functionality:

filter for not tcp.analysis.flags
open Statistics -> Conversation
select "TCP"
check "Limit to display filter".

You should end up with a list of all conversations that have no error packet (or, more exact, no packet that a TCP analysis was diagnosed for)