Wireshark · Ethereal-users: Re: [Ethereal-users] Calculate Time Difference for each SYN-SYN/ACK pairs

Ethereal-users: Re: [Ethereal-users] Calculate Time Difference for each SYN-SYN/ACK pairs

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Sat, 30 Apr 2005 22:00:58 +0200

MATE (http://wiki.ethereal.com/Mate) can help for this.

bellow you'll find a mate config to measure syn-syn/ack.

with:
tethereal -o 'mate.config_filename: tcp_setup.mate' -r your_file.pcap
-zproto,colinfo,'mate.tcp_ses.Duration'  mate.tcp.synack

you'll get an extra column containing the elapsed time between syn and syn/acks.

Excell (or something similar) can do the rest.

Luis.

# tcp_setup.mate
# First you need to create a tcp pdu extracting the data you need
   Action=PduDef; Name=tcp; Proto=tcp; Transport=ip; addr=ip.addr;
port=tcp.port; tcp_syn=tcp.flags.syn; tcp_ack=tcp.flags.ack;

# we won't  deal with tcp pdus that have no syn
 Action=PduCriteria; For=tcp; tcp_syn=1;

# then we'll "mark" the pdus 
  Action=Transform; Name=syn_synack; tcp_syn=1; tcp_ack=1; .synack;
# if syn/ack matches MATE will stop so the syn/ack won't be marked as syn
  Action=Transform; Name=syn_synack;  tcp_syn=1;  .syn;

# we apply the transform
  Action=PduTransform; For=tcp; Name=syn_synack;

# then we need to group syn and syn/acks
   Action=GopDef; Name=tcp_ses; On=tcp_pdu; addr; addr; port; port; 

# then we'll  start a group at syn and stop at syn/ack
   Action=GopStart; For=tcp_ses;  syn;
   Action=GopStop; For=tcp_ses; synack;

References:
- [Ethereal-users] Calculate Time Difference for each SYN-SYN/ACK pairs
  - From: Lim Boon Ping

Prev by Date: Re: [Ethereal-users] Feature for NAT Capture Filter
Next by Date: Re: [Ethereal-users] Feature for NAT Capture Filter
Previous by thread: [Ethereal-users] Calculate Time Difference for each SYN-SYN/ACK pairs
Next by thread: [Ethereal-users] Feature for NAT Capture Filter
Index(es):
- Date
- Thread