Counting number of packets with a given string in packet bytes

asked 2020-07-09 22:09:41 +0000

chobbs

I'm searching for a particular string in the packet bytes via Edit -> Find Packet. Is there a way to count the total number of these instances found? Is it possible to do the same search with tshark so I can perform some other analysis on the results?

I'm pretty sure I can get close enough with display filters in tshark:

tshark -r my.pcap -Y "fame matches \"mystring\""

I'm definitely open to other solutions, though.

chobbs ( 2020-07-09 22:32:30 +0000 )

What OS are you working on?

Chuckc ( 2020-07-09 22:37:06 +0000 )

Linux (specifically Kubuntu)

chobbs ( 2020-07-09 22:52:28 +0000 )

Can you treat it like a binary file and use a mix of Linux commands?

$ strings -a ./200709_strings_grep.pcapng | grep -i test123
test123 test123
test123 test123
$ strings -a ./200709_strings_grep.pcapng | grep -i test123 | wc
      7       9      72

The "other analysis" with tshark - were you hoping to it all in one pass somehow?

Chuckc ( 2020-07-09 23:57:19 +0000 )

that's a pretty clever approach, but something is off. it returns a higher number than than the tshark examples. i suspect perhaps the string appears multiple times in a given packet which would yield a higher count.

chobbs ( 2020-07-10 15:10:21 +0000 )

answered 2020-07-10 02:51:25 +0000

cmaynard

cmaynard gravatar image

updated 2020-07-10 02:51:56 +0000

Have a look at the tshark man page regarding the -z io,stat option.

In the following example, I just used an arbitrary filter of "ip", but where I've used "ip", you'd use "frame matches \"mystring\"":

tshark -q -r file.pcapng -z io,stat,0,"ip"
| IO Statistics                   |
|                                 |
| Duration: 19.3 secs             |
| Interval: 19.3 secs             |
|                                 |
| Col 1: ip                       |
|              |1               | |
| Interval     | Frames | Bytes | |
|-------------------------------| |
|  0.0 <> 19.3 |      2 |  1072 | |

The -z io,stat option also supports other features than just simply display filters, such as COUNT(field)filter, which might be all you're looking for here, in which case you could run something like:

tshark -q -r file.pcapng -z io,stat,0,"COUNT(frame)frame matches \"mystring\""
This nails it exactly, thanks! I was unaware of the COUNT expression or the io,stat options. This yields the same count as the number of results I got when I ran a display filter.

chobbs ( 2020-07-10 15:11:24 +0000 )

