This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

The number of TCP connections

0

I did'nt work with Wireshark but now I should answer a question. When I captured a traffic between my host and different pages of a site, how can I get only the number of TCP connections and the corresponding durations?

asked 21 Oct '17, 14:45

maryamtvk's gravatar image

maryamtvk
11113
accept rate: 0%


One Answer:

1

The conversations tool: under

Statistics -> Conversations

you will have a TCP tab that contains each TCP connection and the start/duration. Note that you can apply display filter in the main packet pane and then select the check box for

Limit to Display Filter

to only roll up what is currently displayed. This is often useful on a mirror port where you are only interested in two hosts, or whatever.

answered 21 Oct '17, 17:23

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

Thanks for your respond. Can I filter them for a specific domain name?not just an IP address?

(22 Oct '17, 02:28) maryamtvk

Are you looking to do something like this with a filter:

https://ask.wireshark.org/questions/9916/capturing-traffic-to-any-host-within-a-specific-domain

I don't think you can in a one-pass view. Most frames don't have domain name information in them so no easy way to link an IP to a Domain - it usually takes DNS or a hosts file to link the two. Exceptions are DNS packets which have requests/replies and contain domain name in plain text, or perhaps something like http requests which might have the domain name listed. However, this presumed link between an IP and a domain in an http context breaks down when you use a proxy: in that case the IP will be for the proxy, not the actual domain you are attempting to link. Someone else may have other ideas.

I don't know exactly what you are hunting for, but maybe check out ntop-ng (http://www.ntop.org/) . This does a good job at trying to break down traffic by ASN, country, etc. May or may not be detailed enough. Omnipeek as well has some tools to aggregate the view.

(22 Oct '17, 06:24) Bob Jones
1

If we stick to Wireshark capabilities, I'd like to draw your attention to MATE which allows to link together the DNS communication with TCP (and, at higher layer, HTTP) one, so you can add an "fqdn" metafield to TCP packets to allow filtering sessions by fqdn. Or you can do the same using Lua post-dissector.

In either case, you are likely to lack DNS resolutions for many sessions in a given capture, as most systems use DNS response caching. Reverse DNS helps only partially as it is not rare to run several web sites (with totally different fqdns) on a single IP address.

(22 Oct '17, 06:51) sindy