Hi,
I typically use wireshark to export pcap dissection to csv (via
tshark), load these csv files via pandas (a really great python
library http://pandas.org) and then do some magic and generate some
matplotlib plots.
Sometimes, I need to filter packets to keep only one direction; from
client to server or reverse. To the best of my knowledge, the current
way to do it is to filter on ips ? such as
"tcp.stream == 0 and src.ip == <IP>".
For TCP, finding the IP depending on the direction (client or server)
is as simple as finding who sent the SYN but I mostly work with MPTCP
in which case it is trickier. I would like to do "mptcp.stream == 0 &&
mptcp.dst == server", mptcp.dst being one of client/server/unknown.
Would this be ok to send such a patch ? (I would also do it for tcp).
Another approach, somewhat orthogonal would be to have wireshark map
addresses to a host. The hosts <-> adresses mappings could be done
manually, loading from a file a list of IPs/MACs and/or completed by
wireshark. For instance in Multipath TCP (MPTCP) communications,
providing that the whole communication is captured (including SYN
packets), it is possible to map the different IPs to a their
respective host (depending on the MPTCP token, one knows if the TCP
subflow was initiated by the server or by the client).
In my case, I often work/analyze multihomed communications (which may
get more and more usual with protocols such as MPTCP, LISP, TRILL) and
filtering on IPs can become tedious, especially when trying to
automatize captures, hence the proposition.
One could do sthg like:
"tcp.dst == server and ip.src in host('client')" with host(hostname)
or host(<ip>) returning the set of addresses assigned to this host so
that "tcp.dst == server and eth.src in host(192.168.1.1)" could also
be possible.
Regards
Matt
