Ask Your Question

How to find the number of Pkt Lengths (1514) in a given Stream Index

asked 2019-11-19 19:33:45 +0000

JTech_17 gravatar image

Hello, I'm filtering on a particular stream index, but I also want to know the total number of packets of length 1460 that are contained within that single stream.

I'm trying this: eq 278 && tcp.len == 1460

and then referencing the number displayed at the bottom (Packets: xxxx - Displayed: xxxxx)

Is this the most accurate way? Suggestions are quite welcome. thanks, JTech

edit retag flag offensive close merge delete


The question title seems to be asking for frame.len==1514 ?

Chuckc gravatar imageChuckc ( 2019-11-19 20:15:33 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-11-19 20:28:46 +0000

SYN-bit gravatar image

tshark -r <file.pcap> -Y " && tcp.len==1460" | wc -l

or get an overview of all the lengths:

tshark -r <file.pcap> -Y "" -T fields -e tcp.len | sort -rn | uniq -c

edit flag offensive delete link more


In case others are looking at the above answer, it won't work on Windows as it relies on utilities (wc, uniq) and options (the -rn to sort) that aren't available.

A PowerShell equivalent is:

tshark -r <file.pcap> -Y " && tcp.len==1460" | Measure-Object -Line


tshark -r <file.pcap> -Y "" -T fields -e tcp.len | Group-Object -NoElement
grahamb gravatar imagegrahamb ( 2019-11-20 11:00:07 +0000 )edit

Thanks for the powershell versions Graham, I still need to find some time to get familiar with PowerShell, as I do like the object oriented nature of PowerShell :-)

SYN-bit gravatar imageSYN-bit ( 2019-11-20 21:09:32 +0000 )edit

I had started down the PowerShell path last year and was rescued by WSL. :-)

Windows file system is at "/mnt/c" and alias ".exe" files to short name.

    $ pwd
    /mnt/c/Program Files/Wireshark
    $ alias
    alias ls='ls --color=auto'
    alias nmap='nmap.exe'
    alias tshark='tshark.exe'
Chuckc gravatar imageChuckc ( 2019-11-20 23:36:24 +0000 )edit

WSL is certainly useful, but is quite a large sledgehammer to crack this nut.

Note that PowerShell Core is cross platform and is open source and available on multiple platforms.

grahamb gravatar imagegrahamb ( 2019-11-21 09:38:57 +0000 )edit

Ha! Learn something everyday. Did not know about PowerShell for other operating systems. Thanks!

Chuckc gravatar imageChuckc ( 2019-11-21 12:52:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-11-19 19:33:45 +0000

Seen: 61 times

Last updated: Nov 19 '19