This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark count output

0

In the following version...

TShark 1.10.7 (v1.10.7-0-g6b931a1 from master-1.10)

Is this expected?

sudo /usr/local/bin/tshark -n -q -r cdp-01-ccc-2014-05-21-accounting-and-accepts.cap -z io,stat,0,"COUNT(radius.code)radius.code" 'radius.code==2'





2: COUNT(radius.code)radius.code











Interval




——————————————




0.0 <> 86307.0






============================================
| IO Statistics                            |
|                                          |
| Interval size:   407.0 secs (dur)        |
| Col 1: Frames and bytes                  |


sudo /usr/local/bin/tshark -n -r cdp-01-ccc-2014-05-21-accounting-and-accepts.cap -z io,stat,0,"COUNT(radius.code)radius.code" 'radius.code==2' | grep Access-Accept | wc -l 1618

Why is there such a difference in counts and what should it be?

asked 30 May ‘14, 12:52

loner_t's gravatar image

loner_t
11113
accept rate: 0%

edited 30 May ‘14, 13:46

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

Why is there such a difference in counts and what should it be?

because you are using -q (be quiet) in the first case, which tells tshark to not print a line for every packet in the capture file. As you did not use -q in the second case, you are getting a much larger number of lines, one per frame in the pcap file. That's totally expected behavior. See the man page of tshark.

http://www.wireshark.org/docs/man-pages/tshark.html

Regards
Kurt

answered 31 May '14, 07:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks, Kurt. The reason for not using -q in second one was to see and count of actual packets with radius.code==2.

Also, even though my interval is set to 0 in both cases, tshark uses 407.0 seconds as an interval. The man page says, if interval is set to 0, the count function is over the entire duration of the capture, which in my specific case is roughly 24 hours.

Am I interpreting the man page correctly? The goal is to count the number of packets with radius.code==2 accurately.

(31 May '14, 08:08) loner_t

The goal is to count the number of packets with radius.code==2 accurately

Then please try this (not tested):

tshark -nr cdp-01-ccc-2014-05-21-accounting-and-accepts.cap -Y "radius.code==2" | grep Access-Accept | wc -l

(01 Jun '14, 15:56) Kurt Knochner ♦