Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] aggregating packages in one messages

Date: Fri, 4 Sep 2009 17:16:59 +0200
Hi Andrej,

A conversation is all the traffic between two specific endpoints.
An ethernet eindpoint is a mac address.
An ip endpoint is an ip address.
A tcp endpoint is a combination of a ip address and the tcp port used.


A tcp conversation is a combination of two ip addresses and two ports:
$ tshark -r test.pcap -R "(ip.addr==192.168.1.6 && tcp.port==1696 && ip.addr==67.212.143.22
&& tcp.port==80)" -w test1.pcap

http://www.wireshark.org/docs/wsug_html_chunked/ChStatConversations.html
http://www.wireshark.org/docs/wsug_html_chunked/ChStatEndpoints.html#ChStatEndpointDefinition

Best regards
Joan

On Fri, 4 Sep 2009 14:21:55 +0900 Andrej van der Zee wrote:

>Hi,
>
>> Hi Andrej,
>>
>> Yep:)
>>
>> To see the different streams:
>> $ tshark -r test.pcap -q -z conv,tcp
>
>Thank you so much again! This is great.
>
>What does "conversation" actually mean? Is this all the data that is
>transmitted back and forth for the duration of the connection? I mean,
>what event makes the conversation actually start and when does it end,
>provided that the capture file contains the whole conversation?
>
>Thank you,
>Andrej