2

Is there any concept of flow id in tshark ? When i searched for filters, i found out that tcp.stream exists but its equivalent for udp i.e udp.stream doesn't exist. When i open a pcap, by default it shows the frame number, ip addresses, info etc. In one column i also need the flow id of each packet alongwith the frame number. Does tshark provide such support ? If not, Is there any way i can do this ?

I have written a program where i am reading a pcap file, packet by packet and i need the flowid for each packet read. If i use tshark command as

 ./tshark -r in.pcap -z conv,tcp

it displays the packet number alongwith some other details, but i want the flowid also to be displayed which i can read in my program.

any help will be greatly appreciated. thanks.

mezda
  • 3,537
  • 6
  • 30
  • 37
  • 1
    Do you mean you want a number (flowid) associated with each pair of ip/port for udp protocol? – graphite Oct 22 '12 at 10:55
  • @graphite : i need the flowid for each packet in the pcap (irrespective of whether it is upd or tcp). If this is not possible in tshark, can we write some script using tshark by which we can calculate flowid for each packet OR is there some standard library which has some function to calculate the flowid(to assigne new flowid or existing flowid) given the 5 tuple for the flow. – mezda Oct 22 '12 at 16:12

1 Answers1

1

tcp.stream in wireshark

Here are what wireshrak does to get tcp.stream. Tcp dissector has a global variable guint32 tcp_stream_index; Then each packet associated with conversation. Each conversation data is stored in a hash table (Wireshark use GHashTable). They use 5-tuple as a key. If they get new 5-tuple they init new conversation and increase tcp_stream_index there:

init_tcp_conversation_data(packet_info *pifo)
{
    ...
    tcpd->stream = tcp_stream_index++;
    ...
}

And there are how they get hash:

/*
 * Hash an address into a hash value (which must already have been set).
 */
#define ADD_ADDRESS_TO_HASH(hash_val, addr) { \
    const guint8 *ADD_ADDRESS_TO_HASH_data; \
    int ADD_ADDRESS_TO_HASH_index; \
    ADD_ADDRESS_TO_HASH_data = (addr)->data; \
    for (ADD_ADDRESS_TO_HASH_index = 0; \
         ADD_ADDRESS_TO_HASH_index < (addr)->len; \
         ADD_ADDRESS_TO_HASH_index++) \
         hash_val += ADD_ADDRESS_TO_HASH_data[ADD_ADDRESS_TO_HASH_index]; \
    }

...
hash_val = 0;
ADD_ADDRESS_TO_HASH(hash_val, &key->addr1);
hash_val += key->port1;
ADD_ADDRESS_TO_HASH(hash_val, &key->addr2);
hash_val += key->port2;
...

Adding flowid to the packet

Here is a simple example of wireshark listener written in lua. But you need functions mk_flowid, update_conversation_data, show_gathered_statics.

local tap 

local conversations = {} 

local function packet(pinfo, tvb, userdata)
    local id = mk_flowid(pinfo.src, pinfo.src_port,
        pinfo.dst, pinfo.dst_port, pinfo.ipproto)

    local conv = converstaion[id]
    update_conversation_data(conv)

    -- Also you can output to a file
    -- to_file(pinfo.number, id)
end

local function draw(userdata)
    print_gathered_statistics(conversations)
end

local function reset(userdata)
    conversations = {}
end

local function show_myconv()
     tap = Listener.new()
     tap.packet = packet
     tap.draw = draw 
     tap.reset = reset 
end

register_stat_cmd_arg('myconv', show_myconv)

And to lanch tshark:

tshark -X lua_script:myconv.lua -z myconv -r in.pcap
graphite
  • 2,920
  • 22
  • 40
  • im not able to get wht u r trying to tell here...i just need one fn to calculate the flowid..plz let me know if there is some standard library function meant for that purpose – mezda Oct 25 '12 at 05:13
  • i just need the udp flow id (similar to that given by tcp.stream for the tcp flows) for the udp packets. plz let me know how to do that ? thanks – mezda Oct 26 '12 at 08:08
  • @user1182722, I has described how wireshark does it for tcp, hope that can help. – graphite Oct 26 '12 at 09:42