This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Port statistics

0

Hello,

I'm looking for syntax in Wireshark/tshark or any other tool for pcap analyzing for port statistics. I don't know if its possible, but I need to make statistics of port in pcap file. Show statistics by port and display in descending order by occurrence. Calculation will be performed only on Well known ports (0-1023).

Output should be something like:

  • PORT NAME COUNT
  • 80 HTTP 5000
  • 443 HTTPS 500
  • 25 SMTP 80
  • 143 IMAP 70 ....

Thanks a lot

asked 06 Apr '15, 12:56

Eduard%20Woidig's gravatar image

Eduard Woidig
6113
accept rate: 0%

edited 06 Apr '15, 12:59

Hi Eduard - Did you try the Statistics function within Wireshark? In Wireshark, select Statistics from the top menu. Then select Conversations. A window pop-up will be displayed with multiple tabs. You can select TCP. In the TCP tab, you can arrange the amount of traffic in descending order by either bytes or packets. The only limitation on this approach is that each TCP stream (IP-address:TCP-port) is treated separately.

(07 Apr '15, 07:37) Amato_C

One Answer:

1
C:\Program Files\Wireshark>tshark -i 1 -qz io,stat,5,http,smtp,imap

Capturing on 'Local Area Connection' 4866 packets captured

3: imap
Interval
————————————————————-
0 <> 5
5 <> 10
10 <> 15
15 <> 20
20 <> 25
25 <> Dur

=============================================================== | IO Statistics | | | | Duration: 29. 30456 secs | | Interval: 5 secs | | | | Col 1: http | | 2: smtp |

C:\Program Files\Wireshark>

answered 08 Apr ‘15, 10:31

John_Modlin's gravatar image

John_Modlin
1205
accept rate: 0%

edited 08 Apr ‘15, 10:41

grahamb's gravatar image

grahamb ♦
19.8k330206