Session reconstruction from Pcap Files?
 

Hello,

I'm trying to perform some analysis on pcap files. I've written a script using Perl's Net::TcpDumpLog which allows me to parse each individual packet and extract header information as well as the payload. For example, here's what I'm currently printing out:

Now I want to look at some statistics regarding TCP sessions. I've been playing with a few tools to reconstruct flows, such as tcpflow [1]. tcpflow reconstructs sessions and dumps session data into files, but does not give much information at all on the individual packets that made up the flow.

I want to be in a position where I have, say, a flow object which consists of all the packet objects which make up the flow. Ultimately I want to create output containing stats on each flow, one flow per line. For example:

I've been playing with tshark[2] and Net::Analysis[3] too, but haven't managed to get what I want. Any assistance would be greatly appreciated.

Many thanks,
Glenn

[1] http://www.circlemud.org/~jelson/software/tcpflow/
[2] http://www.wireshark.org/docs/man-pages/tshark.html
[3] http://search.cpan.org/~worrall/Net-Analysis-0.40/

Try wireshark's "follow tcp stream"

Yeah that's useful for following individual streams manually, but when I have 30GBs that I want to break down my hand gets tired of clicking :) But I managed to get it sorted in the end with a very cool tool called Netdude.