I have to determine the duration of a flow of packets sent from the same IP source address (DDoS). My criteria is that the flow should be no less than 60 seconds. I am a bit confused about the different time formats available in tshark for display. What is the best time format to choose for this purpose, and how would the flow duration be determined. This is a sample of what I have so far, with the time in seconds. I can sort the time field and then subtract the last time minus the first time to obtain the flow duration. Is this a correct approach? Is there a command in tshark to do both tasks? Thank you for your help.
asked 26 Nov '16, 08:27
edited 26 Nov '16, 08:43
Sorting should normally not be necessary as the timestamps are monotonously growing, unless you use some reordering of the capture file.
I must say that as I observe your case from your other Questions, I'd pipe the textual output of tshark to a perl (or any other scripting language which can use associative arrays) script to deal with the task, and I would keep records of first timestamp, last timestamp and packet count for each source IP address, as you seem not to be interested in the actual contents.
As for the time format chosen (unix time in microseconds resolution), I'd probably use
answered 26 Nov '16, 09:10