2

I am using this command with tshark:

tshark -r pcapfile "tcp and ip.src==192.168.1.1" -T text -V -x | grep 'Total Length'

This essentially parses the pcap for only connections from the source ip and looks for the total length in bytes from each packet. I get output like this:

Total Length: 125 
Total Length: 210 
Total Length: 40 
Total Length: 125
> etc, etc....

What I need to do is take the numbers from Total Length and add them up so I can get an idea of how much data was passed over the wire in the time frame of the pcap from a single IP.

Is there a command I can add on the end of the one I am using to do this? Or is there a way I can direct to stdout and then pipe that to a program that can parse and calculate what I am after? Anyone know of a similar command with tcpdump that can do this?

HBruijn
  • 77,029
  • 24
  • 135
  • 201
user53029
  • 629
  • 3
  • 14
  • 36

2 Answers2

5

You can rely purely on tshark to do this, by using the statistics option with the IO stat calculator :

tshark -r pcapfile -z io,stat,0,"SUM(frame.len)frame.len && ip.src == 192.168.1.1 && ip.proto == 6"

This will show a board where the SUM column is the data you are looking for.

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
2

awk can sum up a column of numbers. Something like this should do the trick.

Assuming that the output of your tshark is in foo.txt:

$ cat foo.txt | awk '{ sum += $3 } END { print sum }'

You could also pipe the output of "grep" directly to awk, and it would work in a similar fashion.

EEAA
  • 109,363
  • 18
  • 175
  • 245