Wireshark-users: Re: [Wireshark-users] print number of packet based on filter in afile

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Fri, 25 Sep 2009 11:29:59 +0200
Hi,
 
You can use interval "0" to calculate statistics on the whole file with no intervals.
 
Cheers,
 
 
Sake
 
----- Original Message -----
Sent: Friday, September 25, 2009 10:47 AM
Subject: Re: [Wireshark-users] print number of packet based on filter in afile

hi,
 
and another one that I forgot
 
in the below command
 
D:\temp>tshark -r trace000.pcap -q -z io,stat,600,megaco.command=="Add",megaco.command=="Subtract"

===================================================================
IO Statistics
Interval: 600.000 secs
Column #0: megaco.command==Add
Column #1: megaco.command==Subtract
                |   Column #0    |   Column #1
Time            |frames|  bytes  |frames|  bytes
000.000-600.000   67587  43523248  67931  13153738
===================================================================

as far as I can understand,, the yellow highlighted part (600) is the interval in seconds for which tshark should perform the calculations
 
Since I want the complete file,,, I just use a very large number
Is there a way to omit this interval
or tell tshark to simply parse the entire packet?
 
I have not been able to find such an option in help ... that's why I'm asking ...
 
thanks again
Manolis
 
 
 
 
On Fri, Sep 25, 2009 at 10:54 AM, Manolis Katsidoniotis <manoska@xxxxxxxxx> wrote:
hi
 
thanks,, it worked beautifully also with combinations
 
another quicky
in case you happen to have an opinion
 
I have a huge amount of files of 80MB each and I wish to create total statistics about add/modify/... etc, etc,
should I merge all files in one large (~5GB) file and then run tshark against it or should I create a batch script store the results in .csv and use Excel?
 
 
br
Manolis

On Fri, Sep 25, 2009 at 7:07 AM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
Hi Manolis

Do you use the , as decimal symbol?
You have to use the . as decimal symbol.

Please check
Settings -> Control Pannel -> Regional And Language Options

Regards
Joan


On Date: Fri, 25 Sep 2009 00:14:52 +0300 Manolis Katsidoniotis wrote
>Hello
>
>
>
>I have a large capture file and would like to print the number of packets
>that apply to the below display filters:
>
>megaco.command == "Add"
>
>megaco.command == "Modify"
>
>megaco.command == "Subtract"
>
>
>
>I am entering
>
>
>
>tshark -r F:\Temp\bang_cont_00001_20090626194720.pcap -q -z
>io,stat,600,megaco.command=="Add"
>
>
>
>but I get the total number of packets not the megaco add commands (which
>is
>what I had in the filter)
>
>
>
>C:\Program Files\Wireshark>tshark -r
>F:\Temp\bang_cont_00001_20090626194720.pcap -q -z
>io,stat,600,megaco.command=="Add"
>
>NOTE: you should run 'diskperf -y' to enable the disk statistics
>
>
>
>===================================================================
>
>IO Statistics
>
>Interval: 600.000 secs
>
>Column #0:
>
>                |   Column #0
>
>Time            |frames|  bytes
>
>000.000-600.000   48110  25445310
>
>===================================================================
>
>
>
>
>
>48110 is the number of total captured frames
>
>Instead when I apply the display the number of packets selected is 16107
>
>
>
>Looks like my filter is not working.
>
>
>
>What am I doing wrong?
>
>
>
>Thanks in advance for your time
>
>Manolis
>
>___________________________________________________________________________
>Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>Archives:    http://www.wireshark.org/lists/wireshark-users
>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe