// "tcp.stream eq" can filter a certain tcp session as follows.
$ TZ=UTC tshark -n -t ud -r tcpdump_20210405_063341.pcap \
-Y "tcp.stream eq 794"
23152 2021-04-05 06:34:14.307291 10.0.14.231 → 10.0.134.187 TCP 76 31566 → 31790 [SYN] Seq=0 Win=26883 Len=0 MSS=8961 SACK_PERM=1 TSval=2042992871 TSecr=0 WS=256
23157 2021-04-05 06:34:14.307408 10.0.134.187 → 10.0.14.231 TCP 76 31790 → 31566 [SYN, ACK] Seq=0 Ack=1 Win=26697 Len=0 MSS=8911 SACK_PERM=1 TSval=2647712296 TSecr=2042992871 WS=128
23158 2021-04-05 06:34:14.307733 10.0.14.231 → 10.0.134.187 TCP 68 31566 → 31790 [ACK] Seq=1 Ack=1 Win=27136 Len=0 TSval=2042992871 TSecr=2647712296
23161 2021-04-05 06:34:14.307828 10.0.14.231 → 10.0.134.187 PROXYv1 117 31566 → 31790 [PSH, ACK] Seq=1 Ack=1 Win=27136 Len=49 TSval=2042992871 TSecr=2647712296
// HTTP Request
23164 2021-04-05 06:34:14.308841 10.0.14.231 → 10.0.134.187 HTTP 635 GET /dddddddddd HTTP/1.1
23169 2021-04-05 06:34:14.308861 10.0.134.187 → 10.0.14.231 TCP 68 31790 → 31566 [ACK] Seq=1 Ack=617 Win=27904 Len=0 TSval=2647712297 TSecr=2042992871
// HTTP Response
23680 2021-04-05 06:34:15.311728 10.0.134.187 → 10.0.14.231 HTTP 414 HTTP/1.0 200 OK (text/html)
23684 2021-04-05 06:34:15.312048 10.0.14.231 → 10.0.134.187 TCP 68 31566 → 31790 [ACK] Seq=617 Ack=347 Win=28160 Len=0 TSval=2042993875 TSecr=2647713300
23748 2021-04-05 06:34:15.416932 10.0.14.231 → 10.0.134.187 TCP 68 31566 → 31790 [FIN, ACK] Seq=617 Ack=347 Win=28160 Len=0 TSval=2042993980 TSecr=2647713300
23753 2021-04-05 06:34:15.417029 10.0.134.187 → 10.0.14.231 TCP 68 31790 → 31566 [FIN, ACK] Seq=347 Ack=618 Win=27904 Len=0 TSval=2647713405 TSecr=2042993980
23754 2021-04-05 06:34:15.417310 10.0.14.231 → 10.0.134.187 TCP 68 31566 → 31790 [ACK] Seq=618 Ack=348 Win=28160 Len=0 TSval=2042993981 TSecr=2647713405
Created
April 8, 2021 14:06
-
-
Save bysnupy/33be070c6e3d8f25b9c47ea4ae71e7b7 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment