any way of filtering out the "Relative Start" and "Duration" fields in the conv output of Tshark version 3.0.0
I don't know if you can do this in Wireshark (I don't think so), but you can get pretty good results using tshark I think. For example:
tshark -r file.pcap -z conv,tcp -q
This will produce output such as follows:
================================================================================
TCP Conversations
Filter:<no filter="">
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.168.112.101:39611 <-> 69.4.231.52:http 20545 26190636 13022 707804 33567 26898440 0.000000000 32.8158
================================================================================
With the capture file I tested, there was only a single TCP connection; therefore there's only a single row of data in this output.
I think the OP wants to drop the specified columns from the output, I don't think this is possible.
Thank you for responding to my question. Please test udp on your end and tell what you get. I'm entering: tshark -r file.pcap -q -z conv,udp. However, I'm getting a lot of repeated conversations...between the same source/destination ip address. Is it because of the Relative Start field?
The port numbers are probably different, so they would constitute different conversations.
Comments