I am currently using this... tshark -r "C:\Users\admin\Desktop\test\capture.cap" -o ip.use_geoip:TRUE -T fields -e frame.len -e ip.src -e ip.dst -e ip.geoip.dst_asnum My result... 12469 60 192.168.3.98 208.117.253.29 AS43515 YOUTUBE What values does the "12469" and "60" represent(I know frame length), but is the "12469" bytes and the "60" the number of packets? asked 16 May '16, 10:41  zer0day edited 16 May '16, 10:42 |
One Answer:
My guess is that you're using an old version of Wireshark and it's incorrectly displaying the capture count (12469 in this case). What version of Wireshark are you using? You could try upgrading your version of Wireshark to see if it resolves your problem. answered 16 May '16, 12:14  cmaynard ♦♦ |
I am using tshark version 1.12.8, less than 6 months old. This is a capture reflecting 40+ users on our network, so if you think it's incorrect cause it is a large number, just letting you know that it could be correct.
In that case, I'm not sure why the first number is being printed. I tried this on my system with both 1.12.0 and 1.12.11 and neither one print the first erroneously displayed number. Maybe it's data-dependent? Can you post the capture file somewhere?
My bad, the "12469" value is a count of how many frames were seen between the 192.168.x.x source and the destination, it's a line in my script that preforms this operation. So then , what does the "60" represent? 60b, 60kb, 60mb?
The unit for frame length is bytes.