The default output is the packets themselves. Tshark reads in packet capture files with the - r option and applies filters with the -R option: Let's get familiar with using tshark for this purpose.
tshark can help us build up that list of stream IDs. Wireshark keeps track of all TCP conversations with a stream ID. What we need is a filter to display every full TCP conversation inside our packet capture file. We can supply tshark with the same filters that Wireshark accepts and control what we get for the output. It is time to turn to Wireshark's lovable, command-line cousin, tshark, to provide us with a script-able solution to the problem. This is a good start - this filter has identified the TCP conversations that began after the capture was started, but how can we get all packets of each conversation for every conversation? We can right-click on each SYN or SYN-ACK packet and choose "Follow TCP Stream" - that will give you all the packets for that TCP conversation, but that's going to be annoying after the third or fourth TCP conversation. Combine the two filters with a logical OR: That filter will find the SYN packets - to also find SYN-ACK packets, a second filter is needed: = 1 & = 1.
Finding the SYN and SYN-ACK packets of each TCP conversation being initiated is pretty simple to do in Wireshark by applying a post-capture filter like = 1 & = 0. We can start to identify the full TCP conversations by looking for the 3-way handshakes. For TCP-based applications, we filter out just the full TCP conversations. To do this we want to feed it traffic from only the application we're interested in. When testing new applications that can be identified by FlowView, we give it an initial, best chance at succeeding to do so. These packet captures are typically recorded without filtering, so naturally they will contain extraneous protocols and many mid-conversation sessions that happened to be in progress at capture start time.
The packet captures can be homemade by us or from our customers.
When verifying that FlowView is identifying flows with the correct application, we use tcpreplay to send traffic from packet capture files into an appliance capture interface.
0 kommentar(er)
