how to display flowid alongwith frame number for each packet of a pcap using tshark/wireshark

Question

Is there any concept of flow id in tshark ? When i searched for filters, i found out that tcp.stream exists but its equivalent for udp i.e udp.stream doesn't exist. When i open a pcap, by default it shows the frame number, ip addresses, info etc. In one column i also need the flow id of each packet alongwith the frame number. Does tshark provide such support ? If not, Is there any way i can do this ?

I have written a program where i am reading a pcap file, packet by packet and i need the flowid for each packet read. If i use tshark command as

 ./tshark -r in.pcap -z conv,tcp

it displays the packet number alongwith some other details, but i want the flowid also to be displayed which i can read in my program.

any help will be greatly appreciated. thanks.

Answer 1

tcp.stream in wireshark

Here are what wireshrak does to get tcp.stream. Tcp dissector has a global variable guint32 tcp_stream_index; Then each packet associated with conversation. Each conversation data is stored in a hash table (Wireshark use GHashTable). They use 5-tuple as a key. If they get new 5-tuple they init new conversation and increase tcp_stream_index there:

init_tcp_conversation_data(packet_info *pifo)
{
    ...
    tcpd->stream = tcp_stream_index++;
    ...
}

And there are how they get hash:

/*
 * Hash an address into a hash value (which must already have been set).
 */
#define ADD_ADDRESS_TO_HASH(hash_val, addr) { \
    const guint8 *ADD_ADDRESS_TO_HASH_data; \
    int ADD_ADDRESS_TO_HASH_index; \
    ADD_ADDRESS_TO_HASH_data = (addr)->data; \
    for (ADD_ADDRESS_TO_HASH_index = 0; \
         ADD_ADDRESS_TO_HASH_index < (addr)->len; \
         ADD_ADDRESS_TO_HASH_index++) \
         hash_val += ADD_ADDRESS_TO_HASH_data[ADD_ADDRESS_TO_HASH_index]; \
    }

...
hash_val = 0;
ADD_ADDRESS_TO_HASH(hash_val, &key->addr1);
hash_val += key->port1;
ADD_ADDRESS_TO_HASH(hash_val, &key->addr2);
hash_val += key->port2;
...

Adding flowid to the packet

Here is a simple example of wireshark listener written in lua. But you need functions mk_flowid, update_conversation_data, show_gathered_statics.

local tap 

local conversations = {} 

local function packet(pinfo, tvb, userdata)
    local id = mk_flowid(pinfo.src, pinfo.src_port,
        pinfo.dst, pinfo.dst_port, pinfo.ipproto)

    local conv = converstaion[id]
    update_conversation_data(conv)

    -- Also you can output to a file
    -- to_file(pinfo.number, id)
end

local function draw(userdata)
    print_gathered_statistics(conversations)
end

local function reset(userdata)
    conversations = {}
end

local function show_myconv()
     tap = Listener.new()
     tap.packet = packet
     tap.draw = draw 
     tap.reset = reset 
end

register_stat_cmd_arg('myconv', show_myconv)

And to lanch tshark:

tshark -X lua_script:myconv.lua -z myconv -r in.pcap