I know that by doing
I can read all the TCP flows but I would like to see specifically the number of flows that exist on a pcap file. I do not want to do that through wc -l because I am not sure if the output is always similar and whether additional lines will be added. asked 28 Jan '16, 07:55  altdrugzgene |
One Answer:
Maybe use the fields option and directly output the tcp.stream field, then post-process that to find the highest unique value, e.g. using PowerShell: Basically sort the stream integers into descending order, omitting duplicates, then select the first 1 (or head). Note that this will give a 0-based index of the streams, to get the actual stream count you still have to add 1. Update: Added coercion to int to fix numeric sort, plus an offset to make the numbers 1 based and the resulting count accurate. answered 28 Jan '16, 08:15  grahamb ♦ edited 28 Jan '16, 09:47 |
Thanks for your reply. Interestingly from the first piece tshark -r pcap.pcap -T fields -e tcp.stream I am getting 53 as the largest however I noticed that there are 54 flows! Is it starting counting from 0 ? I am using linux btw so no powershell for me! :P
Note the last bit of my answer about the stream field being 0-based.
In bash you should be able to run
... | sort -ur | head -1This returns totally wrong number.. dunno why
Add
-gto the sort parms to make it a numeric sort?sweet that worked.. still have to get the first entry with -g though. I thought it would be possible to get it from tshark itself but ok. Cheers and Thanks