This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Retrive tcp duration using tshark

0

I would like to know how long the TCP connection lasted using tshark, in wiresahrk this info is represented in the conversation statistics

asked 18 Oct '11, 17:20

ddayan's gravatar image

ddayan
41151720
accept rate: 0%


One Answer:

0

If you know the TCP stream index for the connection, you can pull out the frame.time_epoch field for the first and last frames and subtract them.

tshark -r <filename> -R "tcp.stream eq <index>" -T fields -e frame.time_epoch

That will print out the arrival times for each packet in the stream. You can subtract the first number from the last to get the total duration as Wireshark would calculate it.

answered 24 Oct '11, 18:15

zachad's gravatar image

zachad
331149
accept rate: 21%