This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I usually obtain flow information by opening statistics features in the wireshark. However, this way is blocked when the pcap file is too big to open(it will cause RAM overload when loading big pcap file into wireshark). I wonder if I could get flow statistical feature via command line, like tshark, editcap or something else. I really appreciate if some experts help me out. Best regards

asked 15 Jun '16, 01:04

Rui's gravatar image

Rui
6112
accept rate: 0%


You can cut the capture files in half if that helps. Have a look at the command line tools capinfos and editcap.

Tshark has some interesting statistics options as well.

permanent link

answered 15 Jun '16, 05:05

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

I wanna get netflow information like flow duration, flow start time, flow transmission rate on both ends. The pcap file is merged from 180 small pcap files and ends up about 83GB. I conduct that for the reason that some single flow perhaps divide into multi flow if don't merge all the files. I dont wanna miss any details on the flow information. Could you help me out?

(15 Jun '16, 06:56) Rui
1

netflow, that's not an available output of Wireshark related tools. These are tools primarily aimed at getting at the every individual bit of a packet and show its meaning. Netflow is aggregating as much as possible, an analysis function which Wireshark has some of, but not its strong suit.

Maybe riverbed has something on offer for you, click on their logo on the right.

(15 Jun '16, 08:34) Jaap ♦
1

As suggested by Jaap, look at Riverbed's SteelCentral Packet Analyzer, there's a 30 day free trial.

(15 Jun '16, 14:10) grahamb ♦

@Jaap @grahamb Thank you for your commitment, I really appreciate your valuable advice for me. I will have a trail on the software you recommended

(15 Jun '16, 18:20) Rui
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×86
×33
×11

question asked: 15 Jun '16, 01:04

question was seen: 1,049 times

last updated: 15 Jun '16, 18:20

p​o​w​e​r​e​d by O​S​Q​A