This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

howto count total IP size of a capture

0

Hello,

I would like to get a total IP size of captured packets. I am asking IP size, not total size of the packets (with ethernet header included for example).

Thank you, G. Husson

asked 09 Dec '11, 07:04

thalos_ghusson's gravatar image

thalos_ghusson
1111
accept rate: 0%


2 Answers:

2

Try TShark Statistics

$ tshark -r Clmt_04.pcap -qz "io,stat,300,SUM(ip.len)ip.len"
===================================================================
IO Statistics
Interval: 300.000 secs
Column #0: SUM(ip.len)ip.len
                |   Column #0
Time            |            SUM
000.000-300.000            877439
===================================================================

answered 09 Dec '11, 07:47

joke's gravatar image

joke
1.3k4934
accept rate: 9%

1

Hello,

Thank you for this, it perfectly feeds my needs ! Personnaly, I will put "0"s, as in man it says that it will not limit the analysis.

tshark.exe" -r "test.pcap" -qz "io,stat,0,SUM(ip.len)ip.len"

G. Husson

(12 Dec '11, 00:11) thalos_ghusson

You are welcome:)
Just another example:

$ tshark -r Clmt_04.pcap -qz "io,stat,0,SUM(frame.len)frame.len" -z "io,stat,0,SUM(ip.len)ip.len"
======
IO Statistics
Column #0: SUM(ip.len)ip.len
                |   Column #0
Time            |            SUM
000.000-                   877439
======
======
IO Statistics
Column #0: SUM(frame.len)frame.len
                |   Column #0
Time            |            SUM
000.000-                   901742
======
(12 Dec '11, 01:26) joke

0

I would start with tshark filtering the needed information:

tshark -r "Test-Run.cap" -R "ip.len>0" -Tfields -e ip.len

then do whatever to sum those results up and your good. Excel, Calc, perl scripting ...

answered 09 Dec '11, 07:21

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 09 Dec '11, 07:21

I tryed that : C:Documents and SettingsXXXBureau>"C:Program FilesWiresharktshark.exe" tshark -r "test.pcap" -R "ip.len>0" -Tfields -e ip.len NOTE: you should run 'diskperf -y' to enable the disk statistics tshark: Read filters were specified both with "-R" and with additional command-line arguments Wireshark does not run.

My version : Version 1.6.1 (SVN Rev 38096 from /trunk-1.6) on windows XP SP3

Thank you, G. HUsson

(09 Dec '11, 07:30) thalos_ghusson

Sorry, my mistake, I let a "tshark" on the command line. Now it is working. It is a good start point, thank you !

C:Documents and SettingsthalosBureau>"C:Program FilesWiresharktshark.exe" -r "test.pcap" -R "ip.len>0" -Tfields -e ip.len NOTE: you should run 'diskperf -y' to enable the disk statistics 76 40 76 76 76 76 164 40

(09 Dec '11, 07:40) thalos_ghusson