Command for separating/distinguising tcpstreams in pcap file on Linux

StackOverflow https://stackoverflow.com/questions/20114010

문제

I have a huge pcap file in which there thousand of tcpstreams , i need to separate these tcpstream and find out out packet loss for each of them , i am trying out TSHARK(http://www.faultserver.com/q/answers-how-to-calculate-packet-loss-from-a-binary-tcpdump-file-336588.html) , which can help me find out packet loss , retransmission but it dose that for entire pcap file . I want to get it for separate tcpstreams on my Linux box .

Thanks in advance. Jain

도움이 되었습니까?

해결책

It worked out for me with the following tshark commands :

tshark -r trace_2013-11-22_16:03:22.pcap -q -z ip_hosts,tree

Running as user "root" and group "root". This could be dangerous.

===================================================================

IP Addresses value rate percent

IP Addresses 11974 0.003422 27.61.14.188 9729 0.002781 81.25% 192.168.44.44 11974 0.003422 100.00% 101.223.166.12 311 0.000089 2.60% 223.178.146.17 325 0.000093 2.71% 223.228.148.15 465 0.000133 3.88% 223.182.31.6 313 0.000089 2.61% 117.96.87.7 711 0.000203 5.94% 171.78.138.26 120 0.000034 1.00%

===================================================================

tshark -r trace_2013-11-22_16:03:22.pcap -q io,stat,12000,"ip.addr==27.61.14.188 #&& tcp","COUNT(tcp.analysis.retransmission)ip.addr==27.61.14.188 && tcp.analysis.retransmission","COUNT(tcp.analysis.duplicate_ack)ip.addr==27.61.14.188 && tcp.analysis.duplicate_ack","COUNT(tcp.analysis.lost_segment)ip.addr==27.61.14.188 && tcp.analysis.lost_segment","COUNT(tcp.analysis.fast_retransmission)ip.addr==27.61.14.188 && tcp.analysis.fast_retransmission"

Running as user "root" and group "root". This could be dangerous.

=================================================================== IO Statistics Interval: 12000.000 secs Column #0: ip.addr==27.61.14.188 && tcp Column #1: COUNT(tcp.analysis.retransmission)ip.addr==27.61.14.188 && tcp.analysis.retransmission Column #2: COUNT(tcp.analysis.duplicate_ack)ip.addr==27.61.14.188 && tcp.analysis.duplicate_ack Column #3: COUNT(tcp.analysis.lost_segment)ip.addr==27.61.14.188 && tcp.analysis.lost_segment Column #4: COUNT(tcp.analysis.fast_retransmission)ip.addr==27.61.14.188 && tcp.analysis.fast_retransmission | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 Time |frames| bytes | COUNT | COUNT | COUNT | COUNT

000.000-12000.000 9729 7519861 393 1900 1 283

Thanks, Jain

라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top