I am using this command with tshark:
tshark -r pcapfile "tcp and ip.src==192.168.1.1" -T text -V -x | grep 'Total Length'
This essentially parses the pcap for only connections from the source ip and looks for the total length in bytes from each packet. I get output like this:
Total Length: 125
Total Length: 210
Total Length: 40
Total Length: 125
> etc, etc....
What I need to do is take the numbers from Total Length and add them up so I can get an idea of how much data was passed over the wire in the time frame of the pcap from a single IP.
Is there a command I can add on the end of the one I am using to do this? Or is there a way I can direct to stdout and then pipe that to a program that can parse and calculate what I am after? Anyone know of a similar command with tcpdump that can do this?
Best Answer
awk
can sum up a column of numbers. Something like this should do the trick.Assuming that the output of your tshark is in
foo.txt
:You could also pipe the output of "grep" directly to
awk
, and it would work in a similar fashion.