Wireshark · Wireshark-users: Re: [Wireshark-users] tshark - compare src and dst counts for an IP address.

Wireshark-users: Re: [Wireshark-users] tshark - compare src and dst counts for an IP address.

From: Christopher Maynard <Christopher.Maynard@xxxxxxx>

Date: Mon, 13 Jul 2015 15:26:06 +0000 (UTC)

Gary Taylor <squeaky@...> writes:

> 
> I've got  .pcap files that I use to verify traffic is
> bi-directional.  
> 
> I currently use tshark and do something like
> ./tshark -r capture.pcap ip.src == 192.168.1.1 | wc -l
> ./tshark -r capture.pcap ip.dst == 192.168.1.1 | wc -l
> 
> and compare the number of lines returned. As long as they're
> close I'm happy.  
> 
> Is there a smarter method to compare ip "request/responses"?
> I don't need to have exact data.  Just want to make sure the
> numbers are "close".  I'd like do it one pass because the
> pcap files get rather large and can take a while to go
> through.  

You could try looking at the various tshark -z options?
See https://www.wireshark.org/docs/man-pages/tshark.html

For example, 

tshark -r capture.pcap -Y "ip.addr eq 192.168.1.1" -z conv,ip,"ip.src eq
192.168.1.1" -z conv,ip,"ip.dst eq 192.168.1.1" -q

or

tshark -r capture.pcap -Y "ip.addr eq 192.168.1.1" -z io,phs,"ip.src eq
192.168.1.1" -z io,phs,"ip.dst eq 192.168.1.1" -q

- Chris

References:
- [Wireshark-users] tshark - compare src and dst counts for an IP address.
  - From: Gary Taylor

Prev by Date: [Wireshark-users] tshark - compare src and dst counts for an IP address.
Next by Date: [Wireshark-users] missing heartbeats im Microsoft NLB on the NLB-nodes in wireshark
Previous by thread: [Wireshark-users] tshark - compare src and dst counts for an IP address.
Next by thread: [Wireshark-users] missing heartbeats im Microsoft NLB on the NLB-nodes in wireshark
Index(es):
- Date
- Thread