First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Filter first and last packet in all conversations

I would like a display filter to grab only the first and last packets in every conversation in the capture. Is this possible?

ThePooBurner's avatar
1
ThePooBurner
asked 2024-04-26 02:40:03 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Define "conversation" - IP, TCP, Foo, ...

Chuckc's avatar Chuckc (2024-04-26 02:59:05 +0000) edit
more
  • delete

Each conversation is a set of packets that all have the same tcp.stream value. So i want to see all conversations in the pcap, but only their first and last packets. The idea is to use the frame.time_delta as a column to see how long each conversation was.

ThePooBurner's avatar ThePooBurner (2024-04-26 03:11:03 +0000) edit
more
  • delete

I'm new to this still, so I don't know about how other types of streams are handled yet. My class is focused on pretty basic stuff. I just have a hard time not making this a little more complicated than they might otherwise be.

ThePooBurner's avatar ThePooBurner (2024-04-26 03:16:08 +0000) edit
more
  • delete

Statistics -> Conversations -> TCP:Duration or tshark -z conv,type[,filter]?

Otherwise it could be done with a Lua script to add extra field(s) indicating first and last then filter on the new field(s).

Chuckc's avatar Chuckc (2024-04-26 06:13:17 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Since we're talking about TCP connections here (not part of the question, but clarified in a comment) the start would be identified by the SYN flag and the end by the FIN or RES flag. Together with the generated stream # this should be it.

Jaap's avatar
13.7k
Jaap
answered 2024-04-27 09:01:24 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

This display filter will show all the first captured packet per TCP stream: tcp.time_relative == 0
Thus including streams that were already active when the capture started.

For the last packets I don’t know a single display filter option. The most reliable would be the maximum value of tcp.time_relative per stream.
What comes close is filter on FIN or RESET tcp.flags & 5
And for a quick start-to-end impression, add SYN: tcp.flags & 7
But then the last ACK to FIN would be filtered out and of course none of the streams that remained active when the capture ended.

For small captures you can add the column tcp.time_relative and sort on the column tcp.stream.

An alternative would be to use tshark, sort on tcp.stream and frame.number and use some (awk) script to filter out first and last packets per stream.

André's avatar
176
André
answered 2024-04-27 10:22:29 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer