Wireshark-users: Re: [Wireshark-users] top talkers by port usage or SYN attempts - ericsson error
From: jacob c <jctx09@xxxxxxxxx>
Date: Fri, 25 Jan 2008 11:56:59 -0800 (PST)
I appreciate the info. I have actually taken several captures now on individual vlans and have located the top talkers. I also tried the tshark command you mentioned below without success. I get the "ericsson error" as show below.  Here is what happens:
C:\Program Files\Wireshark>tshark -r c:\captures\0_0-10mins -T fields -e ip.src
"tcp.flags.syn==1 &&
Could not open file: 'Ericsson.xml', error: No such file or directory
tshark: Unexpected end of filter string.
 
C:\Program Files\Wireshark>tshark -v
Could not open file: 'Ericsson.xml', error: No such file or directory
TShark 0.99.7 (SVN Rev 23910)
Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.14.3, with WinPcap (version unknown), with libz 1.2.3, with
libpcre 6.4, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with
Gcrypt 1.2.3, with MIT Kerberos.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5.
Built using Microsoft Visual C++ 6.0 build 8804
C:\Program Files\Wireshark>

Do you know what I should modify to resolve this?
Thanks,

Sake Blok <sake@xxxxxxxxxx> wrote:
On Thu, Jan 24, 2008 at 03:26:37PM -0800, jacob c wrote:
> I have a linux load balancer appliance where some user is constantly
> making too many connections to some unknow ip address. When this
> happens it eventually uses up all 65,000 ports. Is there some way
> to take a massive capture and then filter it out in wireshark by top
> port talkers and/or top syn attemptsby ip address? Any info would be
> very much appreciated.

Well, ik Wireshark you can use the "Endpoints" option under "statistics".
This could give you the top10 list of ip-addresses generating to most
packets or bytes.

If you just want SYN packets to be counted, you can either create a
2nd trace file with only the SYN packets and look at the endpoint
statistics in this new file.

Or... you could use tshark with some command piping:

tshark -r -T fields -e ip.src "tcp.flags.syn==1 && tcp.flags.ack==0" | sort | uniq -c | sort -rn | head

I hope this helps,
Cheers,
Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


Looking for last minute shopping deals? Find them fast with Yahoo! Search.