capinfos: data size of received and sent packages

Question

Hi, I'm using dumpcap and capinfos to get the total size of traffic data. But I want to split these in total SENT traffic, and total RECEIVED traffic.

capinfos -D <file> (this command just give me the total)

Is it possible to do something like this:

capinfos -D <file> -SENT (just the total sent) capinfos -D <file> -RECEIVED (just the total received)

I know that tshark have a lot of features for especial scenarios like this, but I'm not too familiar with the syntax. From what I read in the docs, I can specify fields to retrieve and even do the SUM expression.

Any help?

Thanks in advance,

Answer 1

tshark can do the trick:
Here are some examples:

$ tshark -r http.pcap -q -z conv,eth -z conv,ip -z conv,tcp
TCP Conversations
Filter:<no filter="">
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.128:1047 <-> 64.186.152.93:80           9      7834       7      1358      16      9192
192.168.108.128:1048 <-> 64.186.152.93:80           4      1868       4       623       8      2491
================================================================================
================================================================================
IPv4 Conversations
Filter:<no filter="">
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.128      <-> 64.186.152.93             13      9702      11      1981      24     11683
192.168.108.128      <-> 192.168.108.2              1       202       1        73       2       275
================================================================================
================================================================================
Ethernet Conversations
Filter:<no filter="">
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
00:0c:29:61:82:89    <-> 00:50:56:ee:98:59         14      9904      13      2096      27     12000
00:50:56:ee:98:59    <-> ff:ff:ff:ff:ff:ff          0         0       1        60       1        60
================================================================================
================================================================================
$ tshark -r http.pcap -q -z conv,eth,eth.addr==00:0c:29:61:82:89 -z conv,ip,ip.addr==192.168.108.2 -z conv,tcp,ip.addr==64.186.152.93
================================================================================
TCP Conversations
Filter:ip.addr==64.186.152.93
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.128:1047 <-> 64.186.152.93:80           9      7834       7      1358      16      9192
192.168.108.128:1048 <-> 64.186.152.93:80           4      1868       4       623       8      2491
================================================================================
================================================================================
IPv4 Conversations
Filter:ip.addr==192.168.108.2
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.128      <-> 192.168.108.2              1       202       1        73       2       275
================================================================================
================================================================================
Ethernet Conversations
Filter:eth.addr==00:0c:29:61:82:89
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
00:0c:29:61:82:89    <-> 00:50:56:ee:98:59         14      9904      13      2096      27     12000
================================================================================
$ tshark -r update.pcap -qz io,stat,60,"COUNT(frame.cap_len)frame.cap_len","MIN(frame.cap_len)frame.cap_len","MAX(frame.cap_len)frame.cap_len","AVG(frame.cap_len)frame.cap_len"
===================================================================
IO Statistics
Interval: 60.000 secs
Column #0: COUNT(frame.cap_len)frame.cap_len
Column #1: MIN(frame.cap_len)frame.cap_len
Column #2: MAX(frame.cap_len)frame.cap_len
Column #3: AVG(frame.cap_len)frame.cap_len
                |   Column #0    |   Column #1    |   Column #2    |   Column #3
Time            |          COUNT |            MIN |            MAX |            AVG
000.000-060.000               547               42             1514              829
060.000-120.000             32857               42             1514              998
120.000-180.000             39550               42             1514              997
180.000-240.000                30               42              403              211
240.000-300.000                17               60              403              312
300.000-360.000                22               60              403              265
360.000-420.000                41               46              403              263
===================================================================

Answer 2

Hi there,

I'm using the -z conv,ip option and I have a doubt. Tshark show as columns "frames" and "bytes" for each endpoint in the conversation, the question is:

when tshark says "bytes", are RX o TX ? It's looks like Tshark show us the RX byte. Is there any switch to choose TX field specifically?

Thanks!

Answer 3

See the TShark man-page:
"The table is presented with one line for each conversation and displays the number of packets/bytes in each direction as well as the total number of packets/bytes. The table is sorted according to the total number of bytes."

$ tshark -r test.pcap -qz conv,ip
IPv4 Conversations
Filter:<no filter="">
|       <-      | |       ->      | |     Total     |
| Frames  Bytes | | Frames  Bytes | | Frames  Bytes |