This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark statistics to show port numbers?

1

My apologies if this comes off as an overly newb question. I have been tasked by coworker to take a repository of pcaps and provide output from them in the form of...

src ip:src port    dst ip:dst port    # of packets

I played around with piping tcpdump to grep for a while before figuring out that tshark might be far easier, and I've managed to get the output that I need with the exception of the source and destination ports.

The command that I've used is...

tshark -r file.pcap -z conv,ip -q

The output would be perfect if I could get it to display ports numbers beside each IP. I've been digging through the man pages with little luck so far. If anyone can recommend a solution, I would be most appreciative.

Thanks

asked 25 Aug '11, 14:15

Mark's gravatar image

Mark
21113
accept rate: 0%


One Answer:

1

Simple: (assuming you're referring to TCP ports) try

tshark -r file.pcap -z conv,tcp -q

:)

answered 25 Aug '11, 14:56

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 25 Aug '11, 14:57

The TShark command to do this for UDP ports is left as an exercise for the reader. :-)

(25 Aug '11, 17:53) Guy Harris ♦♦

Ever have one of those head-to-desk moments? I had one when I read that. Thank you, Bill! As an aside, is it possible to display multiple protocols with this? Something like...

-z conv,tcp&udp

(26 Aug '11, 08:17) Mark
2

$ tshark -r http.pcap -q -z conv,tcp -z conv,udp

See the TShark man-page for more information:
http://www.wireshark.org/docs/man-pages/tshark.html

(26 Aug '11, 10:27) joke