This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I would like to get a total IP size of captured packets. I am asking IP size, not total size of the packets (with ethernet header included for example).

Thank you, G. Husson

asked 09 Dec '11, 07:04

thalos_ghusson's gravatar image

thalos_ghusson
1111
accept rate: 0%


Try TShark Statistics

$ tshark -r Clmt_04.pcap -qz "io,stat,300,SUM(ip.len)ip.len"
===================================================================
IO Statistics
Interval: 300.000 secs
Column #0: SUM(ip.len)ip.len
                |   Column #0
Time            |            SUM
000.000-300.000            877439
===================================================================

permanent link

answered 09 Dec '11, 07:47

joke's gravatar image

joke
1.3k4934
accept rate: 9%

1

Hello,

Thank you for this, it perfectly feeds my needs ! Personnaly, I will put "0"s, as in man it says that it will not limit the analysis.

tshark.exe" -r "test.pcap" -qz "io,stat,0,SUM(ip.len)ip.len"

G. Husson

(12 Dec '11, 00:11) thalos_ghusson

You are welcome:)
Just another example:

$ tshark -r Clmt_04.pcap -qz "io,stat,0,SUM(frame.len)frame.len" -z "io,stat,0,SUM(ip.len)ip.len"
======
IO Statistics
Column #0: SUM(ip.len)ip.len
                |   Column #0
Time            |            SUM
000.000-                   877439
======

====== IO Statistics Column #0: SUM(frame.len)frame.len | Column #0 Time | SUM 000.000- 901742 ======

(12 Dec '11, 01:26) joke

I would start with tshark filtering the needed information:

tshark -r "Test-Run.cap" -R "ip.len>0" -Tfields -e ip.len

then do whatever to sum those results up and your good. Excel, Calc, perl scripting ...

permanent link

answered 09 Dec '11, 07:21

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 09 Dec '11, 07:21

I tryed that : C:Documents and SettingsXXXBureau>"C:Program FilesWiresharktshark.exe" tshark -r "test.pcap" -R "ip.len>0" -Tfields -e ip.len NOTE: you should run 'diskperf -y' to enable the disk statistics tshark: Read filters were specified both with "-R" and with additional command-line arguments Wireshark does not run.

My version : Version 1.6.1 (SVN Rev 38096 from /trunk-1.6) on windows XP SP3

Thank you, G. HUsson

(09 Dec '11, 07:30) thalos_ghusson

Sorry, my mistake, I let a "tshark" on the command line. Now it is working. It is a good start point, thank you !

C:Documents and SettingsthalosBureau>"C:Program FilesWiresharktshark.exe" -r "test.pcap" -R "ip.len>0" -Tfields -e ip.len NOTE: you should run 'diskperf -y' to enable the disk statistics 76 40 76 76 76 76 164 40

(09 Dec '11, 07:40) thalos_ghusson
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×178
×41
×16
×4

question asked: 09 Dec '11, 07:04

question was seen: 8,282 times

last updated: 12 Dec '11, 01:27

p​o​w​e​r​e​d by O​S​Q​A