Reputation: 111
how to get number of connection (the count ) to particular host from tcpdump using wireshark
I want to check how many connections are created by my connection pool library to a particular host. I got the tcpdump, from this how to get the number of established connection using wireshark. I can get it using tcptrace tool, but I want to know how to do it using wireshark.
Upvotes: 3
Views: 11324
Answers (2)
Reputation: 1705
Try this - it might not be 100% - as it will only see connections with some data on them - and assumes some idealistic things - but its good enough for most cases:
tcpdump -tt -n -r __file__ \
| grep '\.10011' \
| sed -e 's/^.*IP [^>]\+\.\([^ ]\+\) > 10.0.10.1.13000:.*$/\1:&/g' \
-e 's/^.*IP 10.0.10.1.13000 > [^:]\+\.\([^ ]\+\): .*$/\1:&/g' \
| sed -e 's/ IP .* > .*: Flags \[[^]]*S[^]]*\].*/:open/g' \
-e 's/ IP .* > .*: Flags \[[^]]*[RF][^]]*\].*/:close/g' \
| grep -v 'length 0' \
| sed 's/ IP .* > .*: Flags .*/:isopen/g' \
| gawk -F: 'BEGIN{ cons["x"]=1; }{
if ( $3 == "open" || $3 == "isopen" ) { cons[$1] = 1; }
if ( $3 == "close" ) { delete cons[$1]; };
printf("%s %s %s\n", strftime("%Y%m%dT%H%M%S",int($2)), $2, (length(cons) - 1) ); }' \
| uniq -f 2
Appreciate comments, fixes or corrections. Note - this checks on specific port and IP (10.0.10.1.13000) - you can tune it a bit to make it work for any port and IP
Upvotes: 0
Reputation: 106
How many could be how many concurrent which would be a little more difficult, but how many over the course of a packet capture is much easier, and since you are working off a tcpdump, i'm going to assume that's what you are looking for.
If your source ip was 192.168.1.1 and the destination host is 192.168.1.2 then apply a filter like this:
ip.src_host == 192.168.1.1 && ip.dst_host == DESTADDRESS && tcp.flags.syn == 1
If there is the potentially that the destination host in your question is also establishing connections to the source host, then the source host will also be sending back SYN,ACKs to accept those connections, so to filter those out, add this to the end:
&& tcp.flags.ack == 0
When that filter is applied, only new connections will be displayed, and then you can look in the status bar down the bottom of Wireshark. It will show you have many packets there are total, and how many are being displayed. The number of displayed packets will be the number of connections established during the capture.
If you are looking for concurrent connections at any given time, Wireshark might not be your best option, as in that case you would be looking for the number of connectins (SYNs) that happen before the corresponding FINs or RSTs (end of connections), which is more of a statistical function.
Also worth noting that if the source of the capture is on the source host, that SYNs/connections in that capture aren't guaranteed to have been accepted/successful. You would also need to verify that a full three-way handshake was performed for each connection, SYN, SYN-ACK, ACK.
Upvotes: 3
Related Questions
- Getting count of open connections
- How to count number of packets received from a specific host?
- count tcp states of netstat command
- tcpdump get unique IPs requesting on specific port
- How to get packets statistics by port
- Counting packets in Wireshark
- How to capture count of particular packets with tcpdump?
- Script to count number of connections using a range of TCP ports
- how to calculate number of bytes going through network with tcpdump?
- How to count connected clients in TCPServer?