Ask Your Question
0

How to find the number of Pkt Lengths (1514) in a given Stream Index

asked 2019-11-19 19:33:45 +0000

JTech_17 gravatar image

Hello, I'm filtering on a particular stream index, but I also want to know the total number of packets of length 1460 that are contained within that single stream.

I'm trying this: tcp.stream eq 278 && tcp.len == 1460

and then referencing the number displayed at the bottom (Packets: xxxx - Displayed: xxxxx)

Is this the most accurate way? Suggestions are quite welcome. thanks, JTech

edit retag flag offensive close merge delete

Comments

The question title seems to be asking for frame.len==1514 ?

bubbasnmp gravatar imagebubbasnmp ( 2019-11-19 20:15:33 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-11-19 20:28:46 +0000

SYN-bit gravatar image

tshark -r <file.pcap> -Y "tcp.stream==278 && tcp.len==1460" | wc -l

or get an overview of all the lengths:

tshark -r <file.pcap> -Y "tcp.stream==278" -T fields -e tcp.len | sort -rn | uniq -c

edit flag offensive delete link more

Comments

In case others are looking at the above answer, it won't work on Windows as it relies on utilities (wc, uniq) and options (the -rn to sort) that aren't available.

A PowerShell equivalent is:

tshark -r <file.pcap> -Y "tcp.stream==278 && tcp.len==1460" | Measure-Object -Line

or

tshark -r <file.pcap> -Y "tcp.stream==278" -T fields -e tcp.len | Group-Object -NoElement
grahamb gravatar imagegrahamb ( 2019-11-20 11:00:07 +0000 )edit

Thanks for the powershell versions Graham, I still need to find some time to get familiar with PowerShell, as I do like the object oriented nature of PowerShell :-)

SYN-bit gravatar imageSYN-bit ( 2019-11-20 21:09:32 +0000 )edit

I had started down the PowerShell path last year and was rescued by WSL. :-)
https://docs.microsoft.com/en-us/wind...

Windows file system is at "/mnt/c" and alias ".exe" files to short name.

    $ pwd
    /mnt/c/Program Files/Wireshark
    $
    $ alias
    alias ls='ls --color=auto'
    alias nmap='nmap.exe'
    alias tshark='tshark.exe'
    $
bubbasnmp gravatar imagebubbasnmp ( 2019-11-20 23:36:24 +0000 )edit

WSL is certainly useful, but is quite a large sledgehammer to crack this nut.

Note that PowerShell Core is cross platform and is open source and available on multiple platforms.

grahamb gravatar imagegrahamb ( 2019-11-21 09:38:57 +0000 )edit

Ha! Learn something everyday. Did not know about PowerShell for other operating systems. Thanks!

bubbasnmp gravatar imagebubbasnmp ( 2019-11-21 12:52:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-11-19 19:33:45 +0000

Seen: 35 times

Last updated: Nov 19