This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark Stats - IP conversations sorted to most bytes?

0

Right now I am using: tshark -r "C:\Users\admin\Desktop\capture.cap" -qz "conv,ip"

This displays host IP conversations with hosts that have the most frames topping the results. Seems typically the hosts with the most frames usually have the most bytes in their conversations, but not always. Is there anyway to make the hosts with the most bytes in these conversations appear at the top, then descending in value by byte count?

asked 23 Feb '16, 10:24

zer0day's gravatar image

zer0day
217811
accept rate: 60%


2 Answers:

1

Looking at the source, no, the sorting is hard-coded to be by the number of frames.

You could raise an enhancement request to request the functionality.

answered 25 Feb '16, 15:27

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thanks for taking the time to look, much appreciated.

(27 Feb '16, 17:47) zer0day

0

Try this:

for aa in `ls *.pcap`; do
    echo -------------
    echo ==== $aa ====
    echo "                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |"
    echo "                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |"
    tshark -r $aa -q -z conv,ip | grep -v -E "====|Conversations|Filter|Total|Frames" | sort -nr -k 9 | head
done

or just

tshark -r file.pcap -q -z conv,ip | grep -v -E "====|Conversations|Filter|Total|Frames" | sort -nr -k 9 | head

answered 14 Jul '17, 15:09

gag99's gravatar image

gag99
61
accept rate: 0%

edited 15 Jul '17, 05:30

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

The above script appears to be bash based along with several common *nix utilities and as such, won't work for the OP who appears to be running Windows.

The OP could install a *nix compatibility tool such as Cygwin or mingw (as provided by Git for Windows) to run the scripts or convert them to something that works out of the box, e.g. PowerShell.

(15 Jul '17, 07:20) grahamb ♦