Wireshark-users: [Wireshark-users] Reconstruct TCP Sessions from pcap files?
From: Glenn Wilkinson <glenn.wilkinson@xxxxxxxxx>
Date: Tue, 14 Jul 2009 12:55:52 +0100
Hello Wiresharkers,

I've got some large pcap files from a network which I want to perform
some analysis on. I want to:

i) Extract Individual Packet Headers + Payload
I've managed to do this with some Perl scripting, using:

Net::TcpDumpLog, NetPacket::IP, and NetPacket::TCP

The code for that is here: http://perl.pastebin.com/m79529a69

ii) Recreate TCP Monologues + Sessions
I've found a tool called tcpflow [1] which reconstructs all tcp flows
and dumps their reconstructed payloads to individual files of the


iii) Combine the above two, ie reconstruct TCP sessions listing all
packet+header information within each session/monologue.
I'd ideally like some sort of datastructure of the form
session[monologue[packet]]] . From this I can build up some statistics
involving packet interarrival time, avg packet size, flow duration
etc. I've been wrestling with Perl's Net::Analysis [2]. The command:

$perl -MNet::Analysis -e main TCP,v=7 file.dump

dumps all sessions, monologues and packets to stdout. Being fairly new
to Perl, I can't figure out how to convert the above command into
code. The kludge approach I'm about to take is to dump the whole
output to a file and then parse it with another script, and then try
and match each packet in the Net::Analysis output to each packet in my
above scripts output. Not so ideal.

My overall goal is to have a file output which has something like the
following, one per line:

flow_num, IP_src, IP_dest, TCP_srcPort, TCP_dstPort,
num_of_packets_in_flow, avg_packet_payload_size,
avg_packet_interarrival_time, hash_of_flow_payload

So, to get to my questions:
a) Would anyone know of any tools / be able to help with some code
from Net::Analysis to recreate TCP sessions into a format
session[monologue[packet]]] ?
b) Does tshark provide a way to accomplish this? I've been playing
with it but haven't been able to get it to do more than list all
packets (i.e can it follow streams like Wireshark?)

Many thanks,

[1] http://www.circlemud.org/~jelson/software/tcpflow/
[2] http://search.cpan.org/~worrall/Net-Analysis/