This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Best time format to analyze duration of flow

0

I have to determine the duration of a flow of packets sent from the same IP source address (DDoS). My criteria is that the flow should be no less than 60 seconds. I am a bit confused about the different time formats available in tshark for display. What is the best time format to choose for this purpose, and how would the flow duration be determined. This is a sample of what I have so far, with the time in seconds. I can sort the time field and then subtract the last time minus the first time to obtain the flow duration. Is this a correct approach? Is there a command in tshark to do both tasks? Thank you for your help.

8950 1385856045.754978 94.102.63.238 TCP 9030 1385856046.165178 94.102.63.238 TCP 9042 1385856046.195650 94.102.63.238 TCP 9082 1385856046.348072 94.102.63.238 TCP 9093 1385856046.391306 94.102.63.238 TCP 9105 1385856046.441899 94.102.63.238 TCP 9129 1385856046.562191 94.102.63.238 TCP 9150 1385856046.681125 94.102.63.238 TCP 9171 1385856046.824253 94.102.63.238 TCP 9178 1385856046.850174 94.102.63.238 TCP 9198 1385856046.949589 94.102.63.238 TCP 9233 1385856047.107929 94.102.63.238 TCP 9234 1385856047.110825 94.102.63.238 TCP 9245 1385856047.181578 94.102.63.238 TCP 9269 1385856047.314578 94.102.63.238 TCP 9278 1385856047.341350 94.102.63.238 TCP

asked 26 Nov '16, 08:27

MaryR's gravatar image

MaryR
26558
accept rate: 0%

edited 26 Nov '16, 08:43

sindy's gravatar image

sindy
6.0k4851


One Answer:

2

Sorting should normally not be necessary as the timestamps are monotonously growing, unless you use some reordering of the capture file.

I must say that as I observe your case from your other Questions, I'd pipe the textual output of tshark to a perl (or any other scripting language which can use associative arrays) script to deal with the task, and I would keep records of first timestamp, last timestamp and packet count for each source IP address, as you seem not to be interested in the actual contents.

As for the time format chosen (unix time in microseconds resolution), I'd probably use frame.time_relative because it has less significant digits so the float representation can be more precise as compared to unix time. But for your purpose it is not significant as a 1 second resolution seems to be sufficient.

answered 26 Nov '16, 09:10

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thank you for your answer Sindy. For some reason when I sorted the ip source address field, the time field turn out to be sorted also but only for some IP addresses. For example, for this IP address, time is not growing. I added the time field that you suggested to see the display. So basically, I could use either time format to calculate my time flow, right?

As for the script, would a bash script work? Sadly, I do not know Perl, neither bash script for that matter, but it seems to me that it would be easier to learn how to write a bash script.

So what I am trying to accomplish cannot be done by just CL advanced commands? Thanks so much for responding.

        27.913075000    1385856027.924645   92.42.38.238,149.67.116.32  ICMP
8107    41.576163000    1385856041.587733   92.42.38.238,149.67.116.64  ICMP
2478    13.732778000    1385856013.744348   92.42.38.238,149.67.118.57  ICMP
822     4.681965000     1385856004.693535   92.42.38.238,149.67.137.127 ICMP
1592    8.926652000     1385856008.938222   92.42.38.238,149.67.139.8   ICMP
757     4.352003000     1385856004.363573   92.42.38.238,149.67.14.21   ICMP
899     5.162769000     1385856005.174339   92.42.38.238,149.67.141.21  ICMP
7106    36.355340000    1385856036.366910   92.42.38.238,149.67.154.103

`

(26 Nov '16, 12:09) MaryR

So what I am trying to accomplish cannot be done by just CL advanced commands?

You can use statistic functions of tshark (from the -z universe) but that won't provide all you want for more than a single IP address, so you'd have to use multiple passes - first to identify the list of IP addresses which are worth deeper investigation, and then to make an individual statistics for each of them.

By piping a tshark output to a tailor-made script, you can get your result in a single pass. Bash scripts do support arrays but the index must be an integer number; what makes the mission possible is that not all array elements must be initialized. So for IPv4 addresses, you can convert the IP address to a 32-bit integer (which it actually is) and then use it as an index to the three arrays (count, first_ts, last_ts). For IPv6 addresses, I'm not sure whether your bash will understand 128-bit integers, while in perl you would simply use string forms of the IP addresses as index values.

For some reason when I sorted the ip source address field, the time field turn out to be sorted also but only for some IP addresses.

I would have to see the complete CLI command which has caused that. If you take a real capture file and let tshark print some fields of the frames, they will be printed in the order in which they have been captured.

(26 Nov '16, 13:26) sindy