Although it sounds easy, I cannot find an answer around..
I just need to enumerate certain packets in a certain pcap file (with tshark). e.g.: how many packets are ipv6.ack? how many packets are udp?
and tshark has to print just a number...
Asked
Active
Viewed 225 times
1 Answers
0
You can use the -z io,stat,0 option, e.g.:
tshark -r capture.pcap -q -z io,stat,0,"udp"
... however this will produce an IO Statistics table, not a single number.
If you have tools like wc, grep and cut available to you, you could try one or more of these solutions:
tshark -r capture.pcap -q -z io,stat,0,"udp" | grep "<>" | cut -d ' ' -f 8
tshark -r capture.pcap -Y "udp" | wc -l
If you're on Windows, and you don't have any of these tools, you could try wrapping this in a batch file, such as:
@ECHO OFF
SETLOCAL
SETLOCAL ENABLEEXTENSIONS
SETLOCAL ENABLEDELAYEDEXPANSION
IF "%1" == "" GOTO :USAGE
IF "%2" == "" (
SET TSHARK_CMD=tshark.exe -r %1 -z io,stat,0
) ELSE (
SET TSHARK_CMD=tshark.exe -r %1 -z io,stat,0,"%2"
)
FOR /F "TOKENS=6 DELIMS= " %%A in ('!TSHARK_CMD! ^| FINDSTR "^<^>"') DO (
ECHO %%A
)
GOTO :END
:USAGE
ECHO usage: printframes ^<file^> ^[filter^]
ENDLOCAL
:END
Christopher Maynard
- 5,702
- 2
- 17
- 23