This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Counting IP occurrences in PCAP file using tshark

1
2

Hi

I'm looking for TSHARK syntax to count:

  1. how many times IP address is present in the PCAP file as source ip.
  2. how many times IP address is present in the PCAP file as destination ip.
  3. how many times TCP Port is present in the PCAP file as destination port.

This needs to be OS-independent, so pipes and OS-specific commands can't be used...

Thanks a lot for any help

asked 22 Mar '12, 12:31

Aleksandrc's gravatar image

Aleksandrc
21123
accept rate: 0%

edited 22 Mar '12, 16:26

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

2 Answers:

2

Simply use I/O stasistics for that:

c:\tshark -r tracefile.pcap -qz io,stat,0,ip.src==1.2.3.4,ip.dst==1.2.3.4,tcp.dstport==80

=================================================================== IO Statistics Column #0: ip.src==1.2.3.4 Column #1: ip.dst==1.2.3.4 Column #2: tcp.dstport==80 | Column #0 | Column #1 | Column #2 Time |frames| bytes |frames| bytes |frames| bytes 000.000- 725 52048 663 340474 28 2494 ===================================================================

answered 26 Mar '12, 03:35

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 26 Mar '12, 03:37

1

How OS independent does it need to be? If you need *nix AND Windows then you'll be struggling as it will need some scripting and the native script environments are wildly different.

The tshark manual page lists all the options for tshark, you'll probably want to look at the '-T fields' with some '-e' options, e.g. '-T fields -e ip.src' to get a list of the source ip's, '-T fields -e ip.dst' for destination IP's and '-T fields -e tcp.dstport' for the destination port.

answered 22 Mar '12, 13:32

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%