First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to find the number of Pkt Lengths (1514) in a given Stream Index

  • retag add tags

Hello, I'm filtering on a particular stream index, but I also want to know the total number of packets of length 1460 that are contained within that single stream.

I'm trying this: tcp.stream eq 278 && tcp.len == 1460

and then referencing the number displayed at the bottom (Packets: xxxx - Displayed: xxxxx)

Is this the most accurate way? Suggestions are quite welcome. thanks, JTech

JTech_17's avatar
5
JTech_17
asked 2019-11-19 19:33:45 +0000
edit flag offensive 0 remove flag close merge delete

Comments

The question title seems to be asking for frame.len==1514 ?

Chuckc's avatar Chuckc (2019-11-19 20:15:33 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

tshark -r <file.pcap> -Y "tcp.stream==278 && tcp.len==1460" | wc -l

or get an overview of all the lengths:

tshark -r <file.pcap> -Y "tcp.stream==278" -T fields -e tcp.len | sort -rn | uniq -c

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-11-19 20:28:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

In case others are looking at the above answer, it won't work on Windows as it relies on utilities (wc, uniq) and options (the -rn to sort) that aren't available.

A PowerShell equivalent is:

tshark -r <file.pcap> -Y "tcp.stream==278 && tcp.len==1460" | Measure-Object -Line

or

tshark -r <file.pcap> -Y "tcp.stream==278" -T fields -e tcp.len | Group-Object -NoElement
grahamb's avatar grahamb (2019-11-20 11:00:07 +0000) edit
more
  • delete

Thanks for the powershell versions Graham, I still need to find some time to get familiar with PowerShell, as I do like the object oriented nature of PowerShell :-)

SYN-bit's avatar SYN-bit (2019-11-20 21:09:32 +0000) edit
more
  • delete

I had started down the PowerShell path last year and was rescued by WSL. :-)
https://docs.microsoft.com/en-us/wind...

Windows file system is at "/mnt/c" and alias ".exe" files to short name.

    $ pwd
    /mnt/c/Program Files/Wireshark
    $
    $ alias
    alias ls='ls --color=auto'
    alias nmap='nmap.exe'
    alias tshark='tshark.exe'
    $
Chuckc's avatar Chuckc (2019-11-20 23:36:24 +0000) edit
more
  • delete

WSL is certainly useful, but is quite a large sledgehammer to crack this nut.

Note that PowerShell Core is cross platform and is open source and available on multiple platforms.

grahamb's avatar grahamb (2019-11-21 09:38:57 +0000) edit
more
  • delete

Ha! Learn something everyday. Did not know about PowerShell for other operating systems. Thanks!

Chuckc's avatar Chuckc (2019-11-21 12:52:20 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer