views:

149

answers:

2

The protocol is very simple and is developed on top of TCP. I need to analyze a big libpcap dump file to calculate the average value and standard deviation of the conversation time and of the number of packets per conversation.

Using Wireshark it's simple to analyze the TCP conversations between the endpoints, but the summary includes all of the TCP packets (lots of SYNs, ACKs and FINs), and this messes up the data.

Is there another tool to do this kind of analysis? Is there a way to EASILY extend Wireshark's functionality?

A: 

Not sure I understand exactly what you need, but if you're looking to analyze only the packets with application data in them you can ask Wireshark to display only those packets with the PSH ("push to application") flag set.

Adam Liss
Setting the display filter to data.net > 0 doesn't solve the problem. I need to analyze the conversations, but there are multiple conversations happening simultaneously, as multiple clients talk to the server.
boobsbr
What exactly do you need to measure? Are you trying to separate the individual conversations?
Adam Liss
A: 

What exactly this protocol contains? Is there any specific header for its own usage? Wireshark provides many complex filtering options that you can explore.

If you want to do it using program, you can try PCAP or PF_SOCK. You may need to write your own filtering criteria then.

Jack