This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Basically I'm trying to get a total amount of bytes transferred per port (22, 5900, 5901, etc) but tshark does not seem to give the same results as wireshark... what am I doing wrong? I've tested this with wireshark/tshark 1.12.5 on win7 and tshark 1.10.6 on Ubuntu linux, same results. All tests reading from the same pcap file.

I added "Cumulative Bytes" as a column then applied a filter: "tcp.port==22". Cumulative bytes at the bottom for this filter is 396974.

Tshark gives me 71578 bytes from the same data:

tshark.exe -r tcpdump.pcap -qz io,stat,0,,"BYTES()tcp.port==22"

Using tshark, how can I get a statistical dump of the total tx/rx bytes per port (tcp.port) from the entire file based on a list of ~ 20 specific ports ? (it would be lot faster then running wireshark filters manually then copying the last "Cumulative Bytes" value each time)

asked 19 May '15, 13:19

CptFuzzy's gravatar image

CptFuzzy
6113
accept rate: 0%

edited 19 May '15, 16:05

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142

1

Can you post a sample capture file, to cloudshark for example?

(19 May '15, 14:19) cmaynard ♦♦

I can't post the file I'm working on as it has real IP's in it... I'll try and create another file that i can share and reproduce the problem. Is "BYTES()tcp.port==22" the correct method to get all the traffic for that port?

(19 May '15, 15:44) CptFuzzy
1

Is "BYTES()tcp.port==22" the correct method to get all the traffic for that port?

I don't know. If there's IP fragmentation occurring, for example, it might not be. Or maybe it is and there's a Wireshark bug. Or perhaps there's a Wireshark preference setting that needs to be changed. Or maybe running tshark with other options, such as the -2 option, for example, might give you the output you need. It's hard [for me] to say without looking at a sample capture file.

(19 May '15, 16:04) cmaynard ♦♦

Thanks for the comments. I'll try to get a 'clean' capture file and start again. Thanks for the cloudshark link - could be useful.

(20 May '15, 07:44) CptFuzzy

@CptFuzzy

You can use TraceWrangler to anonymize your capture file and then post the anonymized one.

(20 May '15, 07:51) grahamb ♦

In general it works (same values in the GUI and tshark). I just tested with 1.12.1 on Win7. So, the problem could be related to your capture file.

Can you please test with the following test file to see if you get the same result as I do.

Test file: https://www.cloudshark.org/captures/60efe7c0e18b

tshark.exe -r http.pcapng -qz io,stat,0,,"BYTES()tcp.port==80","BYTES
()tcp.srcport==80","BYTES()tcp.dstport==80"

==========================================
| IO Statistics                          |
|                                        |
| Duration: 0.688 secs                   |
| Interval: 0.688 secs                   |
|                                        |
| Col 1: BYTES()tcp.port==80             |
|     2: BYTES()tcp.srcport==80          |
|     3: BYTES()tcp.dstport==80          |
|----------------------------------------|
|                |1      |2      |3      |
| Interval       | BYTES | BYTES | BYTES |
|----------------------------------------|
| 0.000 <> 0.688 | 11409 | 10443 |   966 |
==========================================

alt text

Regards
Kurt

permanent link

answered 19 May '15, 21:48

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 May '15, 21:49

Thank you for your answers. I will try a few things and post results. In the mean-time, is there a way to validate my pcap file? perhaps remove incomplete/invalid records?

(20 May '15, 07:42) CptFuzzy

is there a way to validate my pcap file? perhaps remove incomplete/invalid records?

Hard to tell without access to the capture file.

(24 May '15, 02:47) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×32
×4
×2

question asked: 19 May '15, 13:19

question was seen: 2,636 times

last updated: 24 May '15, 02:47

p​o​w​e​r​e​d by O​S​Q​A