Tshark statistics to show port numbers?

Question

My apologies if this comes off as an overly newb question. I have been tasked by coworker to take a repository of pcaps and provide output from them in the form of...

src ip:src port    dst ip:dst port    # of packets

I played around with piping tcpdump to grep for a while before figuring out that tshark might be far easier, and I've managed to get the output that I need with the exception of the source and destination ports.

The command that I've used is...

tshark -r file.pcap -z conv,ip -q

The output would be perfect if I could get it to display ports numbers beside each IP. I've been digging through the man pages with little luck so far. If anyone can recommend a solution, I would be most appreciative.

Thanks

Accepted Answer

1

Simple: (assuming you're referring to TCP ports) try

tshark -r file.pcap -z conv,tcp -q

:)

answered 25 Aug '11, 14:56

Bill Meier ♦♦
3.2k●1●8●50
accept rate: 17%

edited 25 Aug '11, 14:57

The TShark command to do this for UDP ports is left as an exercise for the reader. :-)

(25 Aug '11, 17:53) Guy Harris ♦♦

Ever have one of those head-to-desk moments? I had one when I read that. Thank you, Bill! As an aside, is it possible to display multiple protocols with this? Something like...

-z conv,tcp&udp

(26 Aug '11, 08:17) Mark

2

$ tshark -r http.pcap -q -z conv,tcp -z conv,udp

See the TShark man-page for more information:
http://www.wireshark.org/docs/man-pages/tshark.html

(26 Aug '11, 10:27) joke