This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Session Syn & Syn/Ack One row with unique column details Tshark csv file

0

Trying to use Tshark to create a csv file containing:

prefer live capture filtering on "tcp[tcpflags] & (tcp-syn)" working or reading from a pcap using display filtering if required from the result of the above capture filter

This is the output I am desiring in one row with data from the two syn-syn/ack packets from each session. ip.src, ip.id (from src), ip.dst, ip.id (from dst), tcp.srcport, tcp.dstport, all on one row.

I know this requires data from the stream as it is contained in two packets. I don't want to capture the ack, only syn-syn/ack to reduce packets needed to see the session setup with syn's only.

I can get the values for individual packets, but not the bidirectional session on one row.

I need to do this repeatedly, so trying to get this built to optimize repeated captures/ reports.

Imagine it requires 2 pass if can be done in live capture?

Failing not being able to do this at capture, I can read the resultant syn-syn/ack capture file after capture to build the single row with the ip.id's and other details in both directions for each session.

I am also looking to build another report that is similar to endpoint statistics adding some unique fields into the report to shorten the list of all sessions to one row per peer ip's.

appreciate ideas!

Thanks,

Bill

asked 01 Jun '17, 17:44

packetman007's gravatar image

packetman007
11223
accept rate: 0%


One Answer:

0

I don't think this can be done via tshark, because it always prints fields (using -Tfields -e...) per packet. So you'll always end up with two rows that way, not just one.

answered 02 Jun '17, 01:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you. I was thinking similarly, but thought there might be some 2 pass process using tcp stream or other session endpoint statistic variables that might make it possible. Appreciate your help. Bill

(02 Jun '17, 08:09) packetman007