Wireshark mailing list archives
Re: [Wireshark-users] tshark - compare src and dst counts for an IP address.
From: Christopher Maynard <Christopher.Maynard () igt com>
Date: Mon, 13 Jul 2015 15:26:06 +0000 (UTC)
Gary Taylor <squeaky@...> writes:
I've got .pcap files that I use to verify traffic is bi-directional. I currently use tshark and do something like ./tshark -r capture.pcap ip.src == 192.168.1.1 | wc -l ./tshark -r capture.pcap ip.dst == 192.168.1.1 | wc -l and compare the number of lines returned. As long as they're close I'm happy. Is there a smarter method to compare ip "request/responses"? I don't need to have exact data. Just want to make sure the numbers are "close". I'd like do it one pass because the pcap files get rather large and can take a while to go through.
You could try looking at the various tshark -z options? See https://www.wireshark.org/docs/man-pages/tshark.html For example, tshark -r capture.pcap -Y "ip.addr eq 192.168.1.1" -z conv,ip,"ip.src eq 192.168.1.1" -z conv,ip,"ip.dst eq 192.168.1.1" -q or tshark -r capture.pcap -Y "ip.addr eq 192.168.1.1" -z io,phs,"ip.src eq 192.168.1.1" -z io,phs,"ip.dst eq 192.168.1.1" -q - Chris ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark - compare src and dst counts for an IP address. Gary Taylor (Jul 11)
- Re: [Wireshark-users] tshark - compare src and dst counts for an IP address. Christopher Maynard (Jul 13)