Wireshark · Wireshark-users: [Wireshark-users] tshark - compare src and dst counts for an IP address.

Wireshark-users: [Wireshark-users] tshark - compare src and dst counts for an IP address.

From: Gary Taylor <squeaky@xxxxxxx>

Date: Fri, 10 Jul 2015 13:35:15 -0700

I've got  .pcap files that I use to verify traffic is
bi-directional.  

I currently use tshark and do something like
./tshark -r capture.pcap ip.src == 192.168.1.1 | wc -l
./tshark -r capture.pcap ip.dst == 192.168.1.1 | wc -l

and compare the number of lines returned. As long as they're
close I'm happy.  

Is there a smarter method to compare ip "request/responses"?
I don't need to have exact data.  Just want to make sure the
numbers are "close".  I'd like do it one pass because the
pcap files get rather large and can take a while to go
through.  


Thanks,
Gary
-- 
squeaky@xxxxxxxxxxxxxxxx
SDF Public Access UNIX System - http://sdf.lonestar.org

Follow-Ups:
- Re: [Wireshark-users] tshark - compare src and dst counts for an IP address.
  - From: Christopher Maynard

Next by Date: Re: [Wireshark-users] tshark - compare src and dst counts for an IP address.
Next by thread: Re: [Wireshark-users] tshark - compare src and dst counts for an IP address.
Index(es):
- Date
- Thread