This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can i tshark a folder full of tracefiles for the biggest tcp stream in each trace?

0

I'm tracing issues with Window Scaling from client to server, after a batch testfile (with copy commands for file transfers) i want to analyse all tracefiles for throughput, window sizes, application read requests and so on, but..... from every trace i only need the biggest tcp stream. Most of the time it's "tcp.stream eq 0" but sometimes not.. How to tshark a folder full of traces for the biggest tcp stream in each trace?

As always, all answers are highly appreciated!

asked 18 Jul '11, 23:55

Marc's gravatar image

Marc
147101316
accept rate: 27%

edited 18 Jul '11, 23:56

2 Answers:

3

So the "koel" stuff you're looking for might be looking something like this?

for file in *.pcap
do 
  tshark -r $file -w largest-stream-from-$file \
     -R `tshark -nlr $file -R "tcp.flags.fin==1 or tcp.flags.reset==1" -T fields -e tcp.seq -e tcp.ack -e tcp.stream | \
           awk 'BEGIN {max=1} {sum=$1+$2;if(sum>max) {max=sum;stream=$3}} END {printf("tcp.stream==%d",stream)}'`
done

(only works with relative sequence numbering on and for streams in which the sequence number does not wrap)

answered 25 Jul '11, 17:12

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Many,many thanks! I'll let the script work down my dir meanwhile i'll try get my head around everybit of that long line you wrote here, amazing stuff mr Blok!

(26 Jul '11, 05:03) Marc

2
You can use tshark statistics to create a table of all tcp conversations:
$ tshark -r test.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<no filter="">
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.2:2720     <-> 147.234.1.253:21          28      2306      18      1047      46      3353
147.234.1.253:58999    <-> 192.168.108.2:2721         3       170       2       122       5       292
192.168.108.2:2718     <-> 147.137.21.94:139          0         0       3       186       3       186
192.168.108.2:2717     <-> 147.137.21.94:445          0         0       3       186       3       186
================================================================================

Or use this little script:


for file in ls -1 *.pcap
do
tshark -r $file -q -z conv,tcp > $file.txt
done

answered 25 Jul ‘11, 11:33

joke's gravatar image

joke
1.3k4934
accept rate: 9%

Ah Joke! Thanks for the answer! but this is only partly what i ment, i would need the biggest trace in the file eg a new .pcap file with only the biggest trace, so dropping everything else

(25 Jul ‘11, 12:12) Marc
So next step is (but I only know the hard way:))
tshark -r test.pcap -R "ip.addr==192.168.108.2 && tcp.port==2720 && ip.addr==147.234.1.253 && tcp.port==21" -w test.tcp.pcap


$ tshark -r test.tcp.pcap -q -z conv,tcp
TCP Conversations
Filter:<no filter="">
|       <-      | |       ->      | |     Total     |
| Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.2:2720     <-> 147.234.1.253:21       28      2306      18      1047      46      3353
(25 Jul ‘11, 12:34) joke

Exactly, and this is where it gets hard because doing this for every tracefile in a folder is as much trouble as clicking through the GUI… i was hoping for something (i’m using my fantasy here…)along the lines of: tshark -r test.tcp.pcap -q -z conv,tcp | awk “first lines of previous output” then put in new tshark cmd… wouldn’t that be “koel”?

(25 Jul ‘11, 12:44) Marc