Wireshark-users: Re: [Wireshark-users] aggregating packages in one messages
From: j.snelders@xxxxxxxxxx
Date: Fri, 4 Sep 2009 17:16:59 +0200
Hi Andrej, A conversation is all the traffic between two specific endpoints. An ethernet eindpoint is a mac address. An ip endpoint is an ip address. A tcp endpoint is a combination of a ip address and the tcp port used. A tcp conversation is a combination of two ip addresses and two ports: $ tshark -r test.pcap -R "(ip.addr==192.168.1.6 && tcp.port==1696 && ip.addr==67.212.143.22 && tcp.port==80)" -w test1.pcap http://www.wireshark.org/docs/wsug_html_chunked/ChStatConversations.html http://www.wireshark.org/docs/wsug_html_chunked/ChStatEndpoints.html#ChStatEndpointDefinition Best regards Joan On Fri, 4 Sep 2009 14:21:55 +0900 Andrej van der Zee wrote: >Hi, > >> Hi Andrej, >> >> Yep:) >> >> To see the different streams: >> $ tshark -r test.pcap -q -z conv,tcp > >Thank you so much again! This is great. > >What does "conversation" actually mean? Is this all the data that is >transmitted back and forth for the duration of the connection? I mean, >what event makes the conversation actually start and when does it end, >provided that the capture file contains the whole conversation? > >Thank you, >Andrej
- References:
- Re: [Wireshark-users] aggregating packages in one messages
- From: Andrej van der Zee
- Re: [Wireshark-users] aggregating packages in one messages
- Prev by Date: Re: [Wireshark-users] FTP analysis
- Next by Date: Re: [Wireshark-users] Counting the number of duplcate packets
- Previous by thread: Re: [Wireshark-users] aggregating packages in one messages
- Next by thread: [Wireshark-users] Bandwidth-Delay Product
- Index(es):