This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Group by mac address

0

Hello,

I searched a lot but I don't find a solution. I would to know if it is possible in tshark to filter the traffic (in Bytes) for each mac address

exemple :

00:ce:56:fd:34:ab -> 8000 Bytes
00:ce:89:fd:37:c8 -> 16788 Bytes

I have started something like this :

tshark -r myfile -qz io,stat,0,1,SUM(...

Any idea please ?

kevin

asked 01 Mar '11, 08:29

steameraproject's gravatar image

steameraproject
1111
accept rate: 0%

edited 01 Mar '11, 14:06

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

3 Answers:

0

Try this:
tshark -r test.pcap -q -z conv,eth,eth.addr==00:ce:56:fd:34:ab -z conv,eth,eth.addr==00:ce:89:fd:37:c8

Just some other examples:
$ tshark -r test.pcap -q -z conv,eth
$ tshark -r test.pcap -q -z conv,eth -z conv,ip -z conv,tcp
$ tshark -r test.pcap -q -z conv,tcp,ip.addr==192.168.100.1 -z conv,ip,ip.addr==192.168.136.1

answered 01 Mar '11, 10:32

joke's gravatar image

joke
1.3k4934
accept rate: 9%

edited 02 Mar '11, 03:40

0

Thank you so much for your quick response !! I will try this tomorrow.

Another question : My goal is to detect abnormal traffic volume during the night (virus...) I do not necessarily know all the mac address as they connect to wifi

so is it possible to combine the data volume per mac address without knowing them ?

something like this :

 tshark -r test.pcap -q -z conv,eth,eth.addr==*

thank you again kevin

answered 02 Mar '11, 09:38

steameraproject's gravatar image

steameraproject
1111
accept rate: 0%

0

To see all ethernet conversations use:
$ tshark -r test.pcap -q -z conv,eth

To redirect output to a text file use:
$ tshark -r test.pcap -q -z conv,eth > test.txt

answered 02 Mar '11, 10:41

joke's gravatar image

joke
1.3k4934
accept rate: 9%