This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Counting IP occurrences in PCAP file using tshark

1
2

Hi

I'm looking for TSHARK syntax to count:

  1. how many times IP address is present in the PCAP file as source ip.
  2. how many times IP address is present in the PCAP file as destination ip.
  3. how many times TCP Port is present in the PCAP file as destination port.

This needs to be OS-independent, so pipes and OS-specific commands can't be used...

Thanks a lot for any help

asked 22 Mar '12, 12:31

Aleksandrc's gravatar image

Aleksandrc
21123
accept rate: 0%

edited 22 Mar '12, 16:26

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
2 Answers:
active answersoldest answersnewest answerspopular answers
2

Simply use I/O stasistics for that:

c:\tshark -r tracefile.pcap -qz io,stat,0,ip.src==1.2.3.4,ip.dst==1.2.3.4,tcp.dstport==80

=================================================================== IO Statistics Column #0: ip.src==1.2.3.4 Column #1: ip.dst==1.2.3.4 Column #2: tcp.dstport==80 | Column #0 | Column #1 | Column #2 Time |frames| bytes |frames| bytes |frames| bytes 000.000- 725 52048 663 340474 28 2494 ===================================================================

permanent link

answered 26 Mar '12, 03:35

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 26 Mar '12, 03:37

1

How OS independent does it need to be? If you need *nix AND Windows then you'll be struggling as it will need some scripting and the native script environments are wildly different.

The tshark manual page lists all the options for tshark, you'll probably want to look at the '-T fields' with some '-e' options, e.g. '-T fields -e ip.src' to get a list of the source ip's, '-T fields -e ip.dst' for destination IP's and '-T fields -e tcp.dstport' for the destination port.

permanent link

answered 22 Mar '12, 13:32

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×349
×178
×69
×16

question asked: 22 Mar '12, 12:31

question was seen: 9,238 times

last updated: 26 Mar '12, 03:37

Related questions

Filtering Using TShark to generate an Output

Filter multiple IPs

GIOP filter - tshark

Commandline Capture Filter for only GET Requests that contain ".exe" or ".jar" ?

Limit / tailor tshark conversations output

How to generate a file with specific attributes from a .pcap file?

IP filter from command line

Capture ALL incoming traffic and ONLY incoming traffic.

Wireless traffic to/from another device is not getting captured

How to hide the count of captured packets with tshark

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A