I usually obtain flow information by opening statistics features in the wireshark. However, this way is blocked when the pcap file is too big to open(it will cause RAM overload when loading big pcap file into wireshark). I wonder if I could get flow statistical feature via command line, like tshark, editcap or something else. I really appreciate if some experts help me out. Best regards asked 15 Jun '16, 01:04 Rui |
One Answer:
You can cut the capture files in half if that helps. Have a look at the command line tools capinfos and editcap. Tshark has some interesting statistics options as well. answered 15 Jun '16, 05:05 Jaap ♦ |
I wanna get netflow information like flow duration, flow start time, flow transmission rate on both ends. The pcap file is merged from 180 small pcap files and ends up about 83GB. I conduct that for the reason that some single flow perhaps divide into multi flow if don't merge all the files. I dont wanna miss any details on the flow information. Could you help me out?
netflow, that's not an available output of Wireshark related tools. These are tools primarily aimed at getting at the every individual bit of a packet and show its meaning. Netflow is aggregating as much as possible, an analysis function which Wireshark has some of, but not its strong suit.
Maybe riverbed has something on offer for you, click on their logo on the right.
As suggested by Jaap, look at Riverbed's SteelCentral Packet Analyzer, there's a 30 day free trial.
@Jaap @grahamb Thank you for your commitment, I really appreciate your valuable advice for me. I will have a trail on the software you recommended