I did'nt work with Wireshark but now I should answer a question. When I captured a traffic between my host and different pages of a site, how can I get only the number of TCP connections and the corresponding durations? asked 21 Oct '17, 14:45  maryamtvk |
One Answer:
The conversations tool: under Statistics -> Conversations you will have a TCP tab that contains each TCP connection and the start/duration. Note that you can apply display filter in the main packet pane and then select the check box for Limit to Display Filter to only roll up what is currently displayed. This is often useful on a mirror port where you are only interested in two hosts, or whatever. answered 21 Oct '17, 17:23  Bob Jones |
Thanks for your respond. Can I filter them for a specific domain name?not just an IP address?
Are you looking to do something like this with a filter:
https://ask.wireshark.org/questions/9916/capturing-traffic-to-any-host-within-a-specific-domain
I don't think you can in a one-pass view. Most frames don't have domain name information in them so no easy way to link an IP to a Domain - it usually takes DNS or a hosts file to link the two. Exceptions are DNS packets which have requests/replies and contain domain name in plain text, or perhaps something like http requests which might have the domain name listed. However, this presumed link between an IP and a domain in an http context breaks down when you use a proxy: in that case the IP will be for the proxy, not the actual domain you are attempting to link. Someone else may have other ideas.
I don't know exactly what you are hunting for, but maybe check out ntop-ng (http://www.ntop.org/) . This does a good job at trying to break down traffic by ASN, country, etc. May or may not be detailed enough. Omnipeek as well has some tools to aggregate the view.
If we stick to Wireshark capabilities, I'd like to draw your attention to MATE which allows to link together the DNS communication with TCP (and, at higher layer, HTTP) one, so you can add an "fqdn" metafield to TCP packets to allow filtering sessions by fqdn. Or you can do the same using Lua post-dissector.
In either case, you are likely to lack DNS resolutions for many sessions in a given capture, as most systems use DNS response caching. Reverse DNS helps only partially as it is not rare to run several web sites (with totally different fqdns) on a single IP address.