First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

how to create a graph of the number of active tcp connections over time?

How do I create a graph of current active tcp connections over time for a wireshark file?

romk's avatar
1
romk
asked 2017-12-08 16:45:32 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2017-12-09 05:47:24 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I did it once that way: Filter on every packet that has set one of these Flags active: SYN, RST or FIN

Then Apply a column on that Flags and one fpr the ACK Flag. After that you can export that view as an CSV file.

And when you import that file to for example to EXCEL you can count with a macro the number of concurrent sessions and that number you can draw.

This can be a solution. You also can try it in anotehr way by using tshark and some shell environments like powershell or bash. But Wireshark itsself canĀ“t help you at the moment with that question. As there is no explicit field that counts that number.

Hope this answer helps you.

Christian_R's avatar
2.1k
Christian_R
answered 2017-12-10 20:59:51 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Bear in mind that the above method intrinsically ignores all sessions established before the capture has started - depending on your use case, the significance may be anywhere between "negligible" and "fundamentally wrong".

I would use a (Lua) post-dissector which would keep track of the number of sessions and add a generated field with their current count to the dissection tree of each TCP packet. You could then make a graph inside Wireshark where Y value would be the AVG value of that field.

As each packet is dissected multiple times, such postdissector would have to maintain a global table (array), such as sess_cnt[], indexed by frame.number, to guarantee that it would calculate the value for each packet only once - all packets are dissected in sequence when Wireshark starts.

You would have to track two global values - max_tcp_stream and stream_count, both initialized to 0.

Whenever there would be no row ... (more)

sindy's avatar sindy (2017-12-11 14:55:22 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer