Wireshark-users: Re: [Wireshark-users] how to analyze the pcap file

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 11 Jun 2008 09:07:46 +0200
On Wed, Jun 11, 2008 at 01:50:32PM +0800, ?????? wrote:
> recently i am trying to analyze the pcap file in order to konw 
> the protocol'type in the content of the file
>  can you tell me some programe that can do the above?thanks

If I understand you correctly, you want to know what protocols are
in a particular tracefile without having to open it in your protocol
analyser?

Well, without reading the file, this is not possible, there are no
protocol statistics inside the pcap file. You will need to read the
whole file to build the statistics. tshark (which comes with wireshark)
is capable of doing this:

[sake@vm-fedora8 trunk]$ tshark -r file.cap -qz io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: frame

frame                                    frames:79679 bytes:13589551
  eth                                    frames:79679 bytes:13589551
    ip                                   frames:79673 bytes:13589203
      tcp                                frames:79673 bytes:13589203
        http                             frames:9113 bytes:4954211
          malformed                      frames:82 bytes:7156
          image-gif                      frames:1519 bytes:1240883
          data-text-lines                frames:160 bytes:123448
          media                          frames:51 bytes:32775
        ssl                              frames:8890 bytes:3553534
          malformed                      frames:764 bytes:75674
        tcp.segments                     frames:932 bytes:491318
          http                           frames:531 bytes:46571
            data-text-lines              frames:512 bytes:34695
          ssl                            frames:401 bytes:444747
            ssl                          frames:1 bytes:1030
    arp                                  frames:6 bytes:348
===================================================================
[sake@vm-fedora8 trunk]$


Is this what you are looking for?

Cheers,
    Sake