 | 1 | initial version |
tshark -r xx.pcap -qz io,stat,1,"COUNT(frame) frame"
In this expression, the second "frame" is in fact a filter. For details having to do with how filtering works, the field that appears in the function must also appear in the filter, though the filter can have other fields too. Consult the tshark man page.
You can do what you want with an expression like
tshark -r xx.pcap -qz -io,stat,1,"COUNT(frame)frame && vlan.id == y"
(If, for some reason, you have something odd like an encapsulation that might encapsulate multiple Ethernet frames in a single capture file frame, such as MPEG2TS or GSE, contained in DVB-S2 Baseband Frames, there might be a reason to use
tshark -r xx.pcap -qz -io,stat,1,"COUNT(vlan.id)vlan.id == y"
Which would count the number of times the vlan ID field itself appeared, and thus allow a single frame in the capture file to have multiple VLAN IDs with the same number.)
| | 2 | No.2 Revision |
tshark -r xx.pcap -qz io,stat,1,"COUNT(frame) frame"
In this expression, the second "frame" is in fact a filter. (As you might have noticed, the main display filter given with -Y does not affect the -z io,stat results") For details having to do with how filtering works, the field that appears in the function must also appear in the filter, though the filter can have other fields too. Consult the tshark man page.
You can do what you want with an expression like
tshark -r xx.pcap -qz -io,stat,1,"COUNT(frame)frame && vlan.id == y"
(If, for some reason, you have something odd like an encapsulation that might encapsulate multiple Ethernet frames in a single capture file frame, such as MPEG2TS or GSE, contained in DVB-S2 Baseband Frames, there might be a reason to use
tshark -r xx.pcap -qz -io,stat,1,"COUNT(vlan.id)vlan.id == y"
Which would count the number of times the vlan ID field itself appeared, and thus allow a single frame in the capture file to have multiple VLAN IDs with the same number.)
