Trying to use Tshark to create a csv file containing: prefer live capture filtering on "tcp[tcpflags] & (tcp-syn)" working or reading from a pcap using display filtering if required from the result of the above capture filter This is the output I am desiring in one row with data from the two syn-syn/ack packets from each session. ip.src, ip.id (from src), ip.dst, ip.id (from dst), tcp.srcport, tcp.dstport, all on one row. I know this requires data from the stream as it is contained in two packets. I don't want to capture the ack, only syn-syn/ack to reduce packets needed to see the session setup with syn's only. I can get the values for individual packets, but not the bidirectional session on one row. I need to do this repeatedly, so trying to get this built to optimize repeated captures/ reports. Imagine it requires 2 pass if can be done in live capture? Failing not being able to do this at capture, I can read the resultant syn-syn/ack capture file after capture to build the single row with the ip.id's and other details in both directions for each session. I am also looking to build another report that is similar to endpoint statistics adding some unique fields into the report to shorten the list of all sessions to one row per peer ip's. appreciate ideas! Thanks, Bill asked 01 Jun '17, 17:44 packetman007 |
One Answer:
I don't think this can be done via tshark, because it always prints fields (using -Tfields -e...) per packet. So you'll always end up with two rows that way, not just one. answered 02 Jun '17, 01:46 Jasper ♦♦ |
Thank you. I was thinking similarly, but thought there might be some 2 pass process using tcp stream or other session endpoint statistic variables that might make it possible. Appreciate your help. Bill