This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to Filter by Multiple IP addresses and Generate Throughput Data Over Time

0

Hello,

My objective is to generate a script that can output network throughput over time by network stream "Sender IP to Receiver IP". Currently I can do that for a single sender and a single receiver using the script below. However, I have one more additional use case where I have 5 senders and one receiver and my current script will not work for that. My question is using multiple sender IP's and a single receiver IP is there an easy way to generate throughput data overtime for each stream?

tshark -r $file -T fields -e frame.time -e frame.len -2 -R "udp"|\ sed -e 's/..\t/\t/' |\ awk -F"\t" '$1==last {sum += $2; next} {printf("%s# %8d bytes/s# %6.2f Mbit/s#\n",last,sum,sum8/1024/1024);last=$1;sum=$2}'

output : Jul 27, 2015 12:07:42 579387 bytes/s ( 4.42 Mbit/s)

Jul 27, 2015 12:07:43 597240 bytes/s ( 4.56 Mbit/s)

Jul 27, 2015 12:07:44 596070 bytes/s ( 4.55 Mbit/s)

Jul 27, 2015 12:07:45 595728 bytes/s ( 4.55 Mbit/s)

...

....

Thanks,

Joe

asked 12 Aug '15, 12:35

danjoemart's gravatar image

danjoemart
6223
accept rate: 0%

One Answer:

0

There are many ways to do that.

Option #1: Use the tshark stats

tshark -nr http.pcap -q -R "udp and host x.x.x.x and host y.y.y.y" -z io,stat,1

Output:

=============================
| IO Statistics             |
|                           |
| Duration: 2.611393 secs   |
| Interval: 1 secs          |
|                           |
| Col 1: Frames and bytes   |
|---------------------------|
|          |1               |
| Interval | Frames | Bytes |
|---------------------------|
|  0 <> 1  |      2 |  5324 |
|  1 <> 2  |     12 |  6740 |
|  2 <> Dur|      4 |  2212 |
=============================

Then parse the output with a script to extract the column with the bytes (per second).

A more complex example, with filters for different sessions.

tshark -nr http.pcap -q -z io,stat,1,"ip.src eq 192.168.90.55 and ip.dst eq 216.34.181.134" ,"ip.addr eq 216.34.181.134"

===============================================================
| IO Statistics                                               |
|                                                             |
| Duration: 2.611393 secs                                     |
| Interval: 1 secs                                            |
|                                                             |
| Col 1: ip.src eq 192.168.90.55 and ip.dst eq 216.34.181.134 |
|     2: ip.addr eq 216.34.181.134                            |
|-------------------------------------------------------------|
|          |1               |2               |                |
| Interval | Frames | Bytes | Frames | Bytes |                |
|--------------------------------------------|                |
|  0 <> 1  |      0 |     0 |      0 |     0 |                |
|  1 <> 2  |      6 |  3516 |      6 |  3516 |                |
|  2 <> Dur|      0 |     0 |      0 |     0 |                |
===============================================================

Option #2: use tshark in a more generic way

tshark -nr http.pcap -T fields -e frame.number -e frame.time -e frame.len -e ip.src -e ip.dst -E separator=;

then use a more complex script to extract whatever you need. You can also combine the whole thing with a display filter.

tshark -nr http.pcap -T fields -e frame.number -e frame.time -e frame.len -e ip.src -e ip.dst -E separator=; -Y "ip.src eq x.x.x.x and ip.dst eq z.z.z.z"

Regards
Kurt

answered 15 Aug '15, 03:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%