Wireshark-users: Re: [Wireshark-users] aggregating packages in one messages
Date: Fri, 4 Sep 2009 17:16:59 +0200
Hi Andrej,

A conversation is all the traffic between two specific endpoints.
An ethernet eindpoint is a mac address.
An ip endpoint is an ip address.
A tcp endpoint is a combination of a ip address and the tcp port used.

A tcp conversation is a combination of two ip addresses and two ports:
$ tshark -r test.pcap -R "(ip.addr== && tcp.port==1696 && ip.addr==
&& tcp.port==80)" -w test1.pcap


Best regards

On Fri, 4 Sep 2009 14:21:55 +0900 Andrej van der Zee wrote:

>> Hi Andrej,
>> Yep:)
>> To see the different streams:
>> $ tshark -r test.pcap -q -z conv,tcp
>Thank you so much again! This is great.
>What does "conversation" actually mean? Is this all the data that is
>transmitted back and forth for the duration of the connection? I mean,
>what event makes the conversation actually start and when does it end,
>provided that the capture file contains the whole conversation?
>Thank you,