This is a static archive of our old Q&A Site. Please post any new questions and answers at

Using Tshark to get all Avaya telephones sorted..


Hi all, i'm having trouble with the following script, what it's supposed to do is:

  1. read all files in the folder one by one
  2. filter on all Avaya OUI Mac addresses (is there a better way for this as well?)
  3. print only eth src, dst and ip src and dst addresses
  4. print all uniq entries sorted in a file called MAC-$file.csv

    $ for file in dir -d * ; do

    tshark.exe -r "$file" -R "eth.addr contains 00:04:0D || eth.addr contains 00:1B:4F || eth.addr contains 00:E0:07 || eth.addr contains 04:8A:15 || eth.addr contains 2C:F4:C5 || eth.addr contains 3C:3A:73 || eth.addr contains 3C:B1:5B || eth.addr contains 44:32:2A || eth.addr contains 58:16:26 || eth.addr contains 70:38:EE || eth.addr contains 90:FB:5B || eth.addr contains B4:B0:17 || eth.addr contains C8:F4:06 || eth.addr contains CC:F9:54 || eth.addr contains FC:A8:41" -T fields -e eth.src -e eth.dst -e ip.src -e ip.dst -E header=y -E separator=, -E quote=d -E occurrence=f | sort | uniq -c -w MAC-$file.csv done

uniq: MAC-nohsrp-voice-DT-00001_di_13-03-2012_10-39-17.csv: invalid number of bytes to compare

i then get a "uniq" message that quotes the above, i'm guessing i'm doing something wrong here ;-)
Can anybody help?

asked 04 May '12, 01:49

Marc's gravatar image

accept rate: 27%

Since it seems to be a problem with unique please run the command without the last | uniq and look at the output / post it here if possible. There seems to be something uniq complains about but without seeing it it's difficult to answer

(04 May '12, 01:55) Landi

Hmm, maybe i've got the sequence wrong, should it be -w MAC-$file.csv | sort | uniq -c ? so tshark > out | then sort | uniq ?

(04 May '12, 02:29) Marc

I'd skip -w in tshark if you want to pipe to sort and uniq and use write stdout to file instead or do it in two steps for debugging by using 1. tshark -r -R ... -w file.csv 2. cat file.csv | sort | uniq > finalfile.txt

(04 May '12, 02:40) Landi

So (for my humble understanding..) i don't use the "tshark -w file.csv" option to redirect the output of tshark command string but instead take the output and redirect it through 'sort | uniq -c' and then put it in a file, as such:

for file in dir -d * ; do tshark.exe -r "$file" -R "eth.addr contains AV:AY:AM:AC-OUI" -T fields -e eth.src -e eth.dst -E header=y -E separator=, -E quote=d -E occurrence=f | sort | uniq -c > MAC-$file.csv; done

Thanks for all your input by the way :-)

(04 May '12, 03:06) Marc

Either way should work (maybe with a little tweaking). Did your last try mentioned above work out for you?

(04 May '12, 03:52) Landi

Not yet i'm missing someting... i'll get to it!

(04 May '12, 06:12) Marc

Strange... D:>tshark.exe -r test2.pcap -R "eth.addr contains xx:yy" -T fields -e eth.src -e eth.dst -E header=y -E separator=, -E quote=d -E occurrence=f | sort | uniq -c

 10 "00:1d:e0:41:xx:yy","00:90:0e:02:0a:89"
  9 "00:90:0e:02:0a:89","00:1d:e0:41:xx:yy"
  1 eth.src,eth.dst


works perfectly fine for me, although I'd stick to just eth.src plus ip.src to make the list easier to handle

(04 May '12, 08:45) Landi

Yep, it did for me as well! Thanks guy's! After i had to work through 63 traces, got 63 csv files offcourse, now sorting out how i can awk that into something that totals everything ;-) i'll get there. Btw i did get rid of the (-R "eth.addr contains AV:AY:AM:AC-OUI") because i filtered these out already and ended up in:

for file in dir -d * ; do tshark.exe -r "$file" -T fields -e eth.src -e eth.dst -E header=y -E separator=, -E quote=d -E occurrence=f | sort | uniq -c > MAC-$file.csv; done

(06 May '12, 11:07) Marc

total everything?

(06 May '12, 11:15) Kurt Knochner ♦
showing 5 of 9 show 4 more comments

One Answer:


uniq does have a parameter -w, however it's not a filename, as in your script.

-w Specifies the number of characters to compare in lines

As already mentioned, just redirect the output of uniq with >, e.g. uniq -c > MAC-$file.csv


answered 04 May '12, 02:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 04 May '12, 03:00