Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File?

Hi everyone,

I have a series of large PCAP files on my Linux machine. I need to use tshark (v 2.2.6) to read the files, then compute the MIN, MAX, and AVG for all packet lengths. In other words, if I somehow had this:

[email protected]:~# tshark -r myCap.pcap
    1   0.000000 → ICMP 98  Echo (ping) request  id=0x1e44, seq=1/256, ttl=63
    2   0.000688 → ICMP 98  Echo (ping) reply    id=0x1e44, seq=1/256, ttl=63 (request in 1)
    3   0.993300 → ICMP 100 Echo (ping) request  id=0x1e44, seq=2/512, ttl=63
    4   0.994362 → ICMP 100 Echo (ping) reply    id=0x1e44, seq=2/512, ttl=63 (request in 3)
    5   1.994626 → ICMP 98  Echo (ping) request  id=0x1e44, seq=3/768, ttl=63
    6   1.995368 → ICMP 98  Echo (ping) reply    id=0x1e44, seq=3/768, ttl=63 (request in 5)
    7   2.996105 → ICMP 150 Echo (ping) request  id=0x1e44, seq=4/1024, ttl=63
    8   3.003030 → ICMP 150 Echo (ping) reply    id=0x1e44, seq=4/1024, ttl=63 (request in 7)
    9   3.997729 → ICMP 98  Echo (ping) request  id=0x1e44, seq=5/1280, ttl=63
   10   3.998719 → ICMP 98  Echo (ping) reply    id=0x1e44, seq=5/1280, ttl=63 (request in 9)
   11   4.999701 → ICMP 98  Echo (ping) request  id=0x1e44, seq=6/1536, ttl=63
   12   5.006203 → ICMP 98  Echo (ping) reply    id=0x1e44, seq=6/1536, ttl=63 (request in 11)
[email protected]:~#

Then I need some output that looks like this:

[email protected]:~# tshark -r myCap.pcap -z io,stat,0,MIN(Length)filter 
MIN: 98
[email protected]:~# tshark -r myCap.pcap -z io,stat,0,MAX(Length)filter 
MAX: 150
[email protected]:~# tshark -r myCap.pcap -z io,stat,0,AVG(Length)filter 
AVG: 107 
[email protected]:~#

Or better yet:

[email protected]:~# tshark -r myCap.pcap -z io,stat,0,MIN,MAX,AVG(Length)filter 
MIN: 98  MAX: 150  AVG: 107 
[email protected]:~#

The ‘-z’ option is obviously the way to go here, but the later syntax trips me up. The format for what I think I want is:

-z io,stat,interval,AVG (field)filter

But after that, I’m fairly lost. Here’s what I do know:

  • I want the interval to be “0” because I want the entire PCAP file to be summarized
  • I think I want the field to be “Length,” because that’s what popped up in a “tshark -G fields”
  • I’m not certain what the filter should be, or if its even needed?

Any advice? Many thanks!