Wireshark mailing list archives

tshark - compare src and dst counts for an IP address.

From: Gary Taylor <squeaky () SDF ORG>
Date: Fri, 10 Jul 2015 13:35:15 -0700

I've got  .pcap files that I use to verify traffic is
bi-directional.  

I currently use tshark and do something like
./tshark -r capture.pcap ip.src == 192.168.1.1 | wc -l
./tshark -r capture.pcap ip.dst == 192.168.1.1 | wc -l

and compare the number of lines returned. As long as they're
close I'm happy.  

Is there a smarter method to compare ip "request/responses"?
I don't need to have exact data.  Just want to make sure the
numbers are "close".  I'd like do it one pass because the
pcap files get rather large and can take a while to go
through.  


Thanks,
Gary
-- 
squeaky () sdf lonestar org
SDF Public Access UNIX System - http://sdf.lonestar.org
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

tshark - compare src and dst counts for an IP address. Gary Taylor (Jul 11)
- Re: [Wireshark-users] tshark - compare src and dst counts for an IP address. Christopher Maynard (Jul 13)