First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Equivalent Wireshark' statistics-conversations in tshark

In Wireshark, after clicking Statistics - Conversations, TCP tab, we obtain the head below:

"Address A","Port A","Address B","Port B","Packets","Bytes","Packets A → B","Bytes A → B","Packets B → A","Bytes B → A","Rel Start","Duration","Bits/s A → B","Bits/s B → A"

We get similar results by tshark using the command line:

tshark -qtu -z conv,tcp -r <file> -Tfields -E header=y -E separator="," -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport

The filter "ip.src" in the tshark gives the equivalent "Address A" in the Wireshark, "tcp.srcport", "the Port A", and so on.

How can we find the other fields like "Rel Start", "Duration", etc.? The tshark's man page does not present any filter list.

insilicium's avatar
1
insilicium
asked 2022-05-27 14:54:50 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-05-28 11:07:17 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The data displayed in Statistics->Conversations or the tshark -z conv,.. tables is calculated and stored in the conversation_table.h and printed by tap-iousers.c:

/** Conversation information */
typedef struct _conversation_item_t {
    ct_dissector_info_t *dissector_info; /** conversation information provided by dissector */
    address             src_address;    /** source address */
    address             dst_address;    /** destination address */
    endpoint_type       etype;          /** endpoint_type (e.g. ENDPOINT_TCP) */
    guint32             src_port;       /** source port */
    guint32             dst_port;       /** destination port */
    conv_id_t           conv_id;        /** conversation id */

    guint64             rx_frames;      /** number of received packets */
    guint64             tx_frames;      /** number of transmitted packets */
    guint64             rx_bytes;       /** number of received bytes */
    guint64             tx_bytes;       /** number of transmitted bytes */

    nstime_t            start_time;     /** relative start time for the conversation */
    nstime_t            stop_time;      /** relative stop time for the conversation */
    nstime_t            start_abs_time; /** absolute start time for the conversation */
} conv_item_t;

Some of the items happen to align with Wireshark display fields but it's not a one-to-one match.

Chuckc's avatar
3k
Chuckc
answered 2022-05-28 15:13:17 +0000, updated 2022-05-28 15:13:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer