Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File?

asked 2020-02-27 18:25:05 +0000

redapplesonly
5 ●1 ●3 ●3

Hi everyone,

I have a series of large PCAP files on my Linux machine. I need to use tshark (v 2.2.6) to read the files, then compute the MIN, MAX, and AVG for all packet lengths. In other words, if I somehow had this:

root@linux:~# tshark -r myCap.pcap
    1   0.000000 10.10.10.10 → 10.10.10.20 ICMP 98  Echo (ping) request  id=0x1e44, seq=1/256, ttl=63
    2   0.000688 10.10.10.20 → 10.10.10.10 ICMP 98  Echo (ping) reply    id=0x1e44, seq=1/256, ttl=63 (request in 1)
    3   0.993300 10.10.10.10 → 10.10.10.20 ICMP 100 Echo (ping) request  id=0x1e44, seq=2/512, ttl=63
    4   0.994362 10.10.10.20 → 10.10.10.10 ICMP 100 Echo (ping) reply    id=0x1e44, seq=2/512, ttl=63 (request in 3)
    5   1.994626 10.10.10.10 → 10.10.10.20 ICMP 98  Echo (ping) request  id=0x1e44, seq=3/768, ttl=63
    6   1.995368 10.10.10.20 → 10.10.10.10 ICMP 98  Echo (ping) reply    id=0x1e44, seq=3/768, ttl=63 (request in 5)
    7   2.996105 10.10.10.10 → 10.10.10.20 ICMP 150 Echo (ping) request  id=0x1e44, seq=4/1024, ttl=63
    8   3.003030 10.10.10.20 → 10.10.10.10 ICMP 150 Echo (ping) reply    id=0x1e44, seq=4/1024, ttl=63 (request in 7)
    9   3.997729 10.10.10.10 → 10.10.10.20 ICMP 98  Echo (ping) request  id=0x1e44, seq=5/1280, ttl=63
   10   3.998719 10.10.10.20 → 10.10.10.10 ICMP 98  Echo (ping) reply    id=0x1e44, seq=5/1280, ttl=63 (request in 9)
   11   4.999701 10.10.10.10 → 10.10.10.20 ICMP 98  Echo (ping) request  id=0x1e44, seq=6/1536, ttl=63
   12   5.006203 10.10.10.20 → 10.10.10.10 ICMP 98  Echo (ping) reply    id=0x1e44, seq=6/1536, ttl=63 (request in 11)
root@linux:~#

Then I need some output that looks like this:

root@linux:~# tshark -r myCap.pcap -z io,stat,0,MIN(Length)filter 
MIN: 98
root@linux:~# tshark -r myCap.pcap -z io,stat,0,MAX(Length)filter 
MAX: 150
root@linux:~# tshark -r myCap.pcap -z io,stat,0,AVG(Length)filter 
AVG: 107 
root@linux:~#

Or better yet:

root@linux:~# tshark -r myCap.pcap -z io,stat,0,MIN,MAX,AVG(Length)filter 
MIN: 98  MAX: 150  AVG: 107 
root@linux:~#

The ‘-z’ option is obviously the way to go here, but the later syntax trips me up. The format for what I think I want is:

-z io,stat,interval,AVG (field)filter

But after that, I’m fairly lost. Here’s what I do know:

I want the interval to be “0” because I want the entire PCAP file to be summarized
I think I want the field to ...

(more)

edit retag flag offensive close merge delete

add a comment

answered 2020-02-27 22:28:45 +0000

Chuckc
3023 ●6 ●608 ●20

admin1@ubuntu1:~/Downloads$ tshark -n -q -r ./blue* -z io,stat,0,"MIN(frame.len)frame.len","MAX(frame.len)frame.len","AVG(frame.len)frame.len"

===================================
| IO Statistics                   |
|                                 |
| Duration: 78.0 secs             |
| Interval: 78.0 secs             |
|                                 |
| Col 1: MIN(frame.len)frame.len  |
|     2: MAX(frame.len)frame.len  |
|     3: AVG(frame.len)frame.len  |
|---------------------------------|
|              |1    |2     |3    |
| Interval     | MIN |  MAX | AVG |
|---------------------------------|
|  0.0 <> 78.0 |  54 | 1434 | 616 |
===================================

edit flag offensive delete link

Comments

Yes! YES!!! This did it! You are a genius, sir! Thank you... :)

redapplesonly ( 2020-02-28 17:58:30 +0000 )edit

add a comment

Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File?

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File?