Wireshark · Wireshark-users: Re: [Wireshark-users] Following streams across multiple files

Wireshark-users: Re: [Wireshark-users] Following streams across multiple files

From: "Sake Blok" <sake@xxxxxxxxxx>

Date: Sat, 10 Oct 2009 15:14:38 +0200

The reason for "Follow TCP Stream" to use the tcp.stream fiels is to distinguish between two conversations that use the same tuple (which happens when port numbers are reused). Unfortunately this does not identify TCP streams across tracefiles. You can either create the "old" conversation filter by hand, or you could use the conversation filter to create it for you (rightclick on the packetlist and choose conversation filter -> TCP).

But.... for the purpose of the original poster, tcpflow might be more convenient:

"tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. "

(see: http://www.circlemud.org/~jelson/software/tcpflow/)

Cheers,

Sake

----- Original Message -----

From: Martin Visser

To: Community support list for Wireshark

Sent: Saturday, October 10, 2009 2:54 PM

Subject: Re: [Wireshark-users] Following streams across multiple files

Not really.

You have two options though. One is simple to merge all of the capture files and the use follow TCP stream then over that merged capture. But of course the reason you have separate files might well be for size reasons, so joining them might not be practical.

The second is for you to identify what makes a stream and use that. For a stream (in a general sense) is identified by a tuple (a set) of the source and destination IP addresses and TCP ports. In older versions of wireshark when you did "Follow TCP stream" it would prepare a display filter with this tuple and display it, as below

(ip.addr eq 192.168.0.118 and ip.addr eq 212.58.253.70) and (tcp.port eq 43047 and tcp.port eq 80)

Now if you then copied this display filter, and then opened a different capture file it, it could then be used as a display filter to show the same stream.

Now in newer versions of Wireshark (I'm not sure exactly when this appeared), when you "Follow TCP Stream", you now get a display filter something like:-

tcp.stream eq 54

Now for most purposes this makes it easier to select and remember different streams, the "tcp.stream" is a generated field that only has relevance to the capture file loaded. Basically for every new TCP stream that wireshark decodes (based on each unique source and dest IP and TCP port tuple) it generates a new TCP stream. And of course each capture file will almost certainly have different streams and probably appearing in different order. The only easy way that I can see to create a display filter that references a particular stream across different captures (in the newer Wireshark versions) is unfortunately going to need to be done manually and would follow the first format I mentioned.

Regards, Martin

MartinVisser99@xxxxxxxxx

On Sat, Oct 10, 2009 at 12:01 PM, Ray Simard <rhs.wshark@xxxxxxxxxxxxxxxx> wrote:

Is there a way to follow a TCP (or other) stream over a file set? This
feature is completely new to me so I'm not well versed in it, but I
haven't seen anything about it in the docs so far.

I've been able to assemble streams from multiple files by saving them
separately and then concatenating them, using IP addresses and port
number to identify them, but if there's an easier way I'd love to find
out about it.

Thanks,
Ray
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-users] Following streams across multiple files
  - From: Ray Simard
- Re: [Wireshark-users] Following streams across multiple files
  - From: Martin Visser

Prev by Date: Re: [Wireshark-users] Following streams across multiple files
Next by Date: Re: [Wireshark-users] VoIP Calls & old E1 telephony protocols
Previous by thread: Re: [Wireshark-users] Following streams across multiple files
Next by thread: [Wireshark-users] help dump stop work
Index(es):
- Date
- Thread