How to use tshark or tcpdump to calculate bytes transmitted

log-filespcaptcpdumptshark

I am using this command with tshark:

tshark -r pcapfile "tcp and ip.src==192.168.1.1" -T text -V -x | grep 'Total Length'

This essentially parses the pcap for only connections from the source ip and looks for the total length in bytes from each packet. I get output like this:

Total Length: 125 
Total Length: 210 
Total Length: 40 
Total Length: 125
> etc, etc....

What I need to do is take the numbers from Total Length and add them up so I can get an idea of how much data was passed over the wire in the time frame of the pcap from a single IP.

Is there a command I can add on the end of the one I am using to do this? Or is there a way I can direct to stdout and then pipe that to a program that can parse and calculate what I am after? Anyone know of a similar command with tcpdump that can do this?

Best Answer

awk can sum up a column of numbers. Something like this should do the trick.

Assuming that the output of your tshark is in foo.txt:

$ cat foo.txt | awk '{ sum += $3 } END { print sum }'

You could also pipe the output of "grep" directly to awk, and it would work in a similar fashion.

Related Solutions

Monitoring HTTP traffic using tcpdump

tcpdump prints complete packets. "Garbage" you see are actually TCP package headers.

you can certainly massage the output with i.e. a perl script, but why not use tshark, the textual version of wireshark instead?

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

it takes the same arguments as tcpdump (same library) but since its an analyzer it can do deep packet inspection so you can refine your filters even more, i.e.

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"'

Java – How to use tshark to do this task

What I want to do is that first I let tshark to read from that pcap file, and then use the time range to filter out all the network flows that are in that time range

You should do it with editcap:

$ editcap -A "2011-07-12 09:49:16" -B "2011-07-12 09:49:20" in.pcap out.pcap

and then use the ip addr to filter out all the network flows from that ip addr, and then use the tcp port number and the number of packets sent/received by the ip addr to finally locate the flow I want.

$ tshark -r out.pcap -R "ip.addr == $IP && tcp.port == $PORT"

Then follow this flow/stream

$ tshark -r out.pcap -R "ip.addr == $IP && tcp.port == $PORT" \
    -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | \
    while read line; do tshark -r out.pcap \
        -R "ip.addr == `echo $line | awk '{ print $1 }'` && \
        tcp.port == `echo $line | awk '{ print $2 }'` && \
        ip.addr == `echo $line | awk '{ print $3 }'` && \
        tcp.port == `echo $line | awk '{ print $4 }'`" \     
        echo \
    done

Best Answer

Related Solutions

Monitoring HTTP traffic using tcpdump

Java – How to use tshark to do this task

Related Topic