Group by mac address

Question

Hello,

I searched a lot but I don't find a solution. I would to know if it is possible in tshark to filter the traffic (in Bytes) for each mac address

exemple :

00:ce:56:fd:34:ab -> 8000 Bytes
00:ce:89:fd:37:c8 -> 16788 Bytes

I have started something like this :

tshark -r myfile -qz io,stat,0,1,SUM(...

Any idea please ?

kevin

Answer 1

0

Try this:
tshark -r test.pcap -q -z conv,eth,eth.addr==00:ce:56:fd:34:ab -z conv,eth,eth.addr==00:ce:89:fd:37:c8

Just some other examples:
$ tshark -r test.pcap -q -z conv,eth
$ tshark -r test.pcap -q -z conv,eth -z conv,ip -z conv,tcp
$ tshark -r test.pcap -q -z conv,tcp,ip.addr==192.168.100.1 -z conv,ip,ip.addr==192.168.136.1

link

answered 01 Mar '11, 10:32

joke
1.2k●3●7●29
accept rate: 10%

edited 02 Mar '11, 03:40

Answer 2

Thank you so much for your quick response !! I will try this tomorrow.

Another question : My goal is to detect abnormal traffic volume during the night (virus...) I do not necessarily know all the mac address as they connect to wifi

so is it possible to combine the data volume per mac address without knowing them ?

something like this :

 tshark -r test.pcap -q -z conv,eth,eth.addr==*

thank you again kevin

Answer 3

0	To see all ethernet conversations use: $ tshark -r test.pcap -q -z conv,eth To redirect output to a text file use: $ tshark -r test.pcap -q -z conv,eth > test.txt link answered 02 Mar '11, 10:41 joke 1.2k●3●7●29 accept rate: 10%

Group by mac address

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions