I'm searching for a particular string in the packet bytes via Edit -> Find Packet. Is there a way to count the total number of these instances found? Is it possible to do the same search with tshark so I can perform some other analysis on the results?
Have a look at the tshark man page regarding the -z io,stat option.
In the following example, I just used an arbitrary filter of "ip", but where I've used "ip", you'd use "frame matches \"mystring\"":
tshark -q -r file.pcapng -z io,stat,0,"ip"
===================================
| IO Statistics |
| |
| Duration: 19.3 secs |
| Interval: 19.3 secs |
| |
| Col 1: ip |
|---------------------------------|
| |1 | |
| Interval | Frames | Bytes | |
|-------------------------------| |
| 0.0 <> 19.3 | 2 | 1072 | |
===================================
The -z io,stat option also supports other features than just simply display filters, such as COUNT(field)filter, which might be all you're looking for here, in which case you could run something like:
tshark -q -r file.pcapng -z io,stat,0,"COUNT(frame)frame matches \"mystring\""
Asked: 2020-07-09 22:09:41 +0000
Seen: 2,397 times
Last updated: Jul 10 '20
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
I'm pretty sure I can get close enough with display filters in tshark:
tshark -r my.pcap -Y "fame matches \"mystring\""
I'm definitely open to other solutions, though.
What OS are you working on?
Linux (specifically Kubuntu)
Can you treat it like a binary file and use a mix of Linux commands?
The "other analysis" with
tshark- were you hoping to it all in one pass somehow?that's a pretty clever approach, but something is off. it returns a higher number than than the tshark examples. i suspect perhaps the string appears multiple times in a given packet which would yield a higher count.