-z conv,ip should or -z conv,udp should sort and output a table or stats relevant to the command. But I'm just getting the results of a read -r command, frame by frame. Is version 3.0.0 different?
As @Guy Harris suggested and as per the man page for tshark:
-z <statistics>
Get TShark to collect various types of statistics and display the result after finishing reading the capture file. Use the -q option if you're reading a capture file and only want the statistics printed, not any per-packet information.
Thanks for your response. -q does not work in this context. Actually, there shouldn't be a need for any additional commands since -z conv,ip should create a correct output. I am reading a file (already captured), I am not capturing. I'm not sure that the man-pages docs are up to date with respect to version 3.0.0. Any additional comments would be welcome.
Adding -q works perfectly for me, e.g.
tshark -r cap.pcapng -q -z conv,ip
The same behaviour occurs in 2.6.1, so it doesn't seem to have been introduced in 3.0, and the docs appear to be accurate.
Can you explain what context you're using for this?
thank you for responding. It worked just as you pointed out: tshark -r cap.pcapng -q -z conv,ip. I thought I had tried that option. Would like to ask, hope you don't mind: in the output there are two headers: "Realative Start" and "Duration" (this is in the version 3.0.0 which is what I'm working with) which are causing conversation between source and destination ip address to repeat - at different time intervals...instead of getting a total/summary per conversation. In the man-pages lit there is a filter immediately after the conv command: tshark -r myfile.pcap -q -r conv,udp[,filter]; can I use that filter to avoid the repetition. Also, for many of the "conversations" there are bytes going in only one direction (zero(0) bytes on send, and 50 bytes on response, and vice versa); not sure how to interpret that. I ...
That's a separate question, and you should ask it separately.
-q does not work in this context. Actually, there shouldn't be a need for any additional commands since -z conv,ip should create a correct output.
TShark - whether it's run with a -z flag or not! - will, by default (unless it's run with a -w flag) print out the dissection of each packet, so you'll get the frame-by-frame output even if you specify a -z flag. If you specify -z flags, the output for the -z flags will be printed after the information for the last frame is printed.
-q suppresses the frame-by-frame output.
None of this is new in 3.0; that's how 2.6 and 2.4 and 2.2 and 2.0 and 1.12 and... worked.
Comments
What happens if you also use
-q, i.e.tshark -q -z conv,ip -r {your file}?Thanks for your response. -q does not work in this context. Actually, there shouldn't be a need for any additional commands since -z conv,ip should create a correct output. I am reading a file (already captured), I am not capturing. I'm not sure that the man-pages docs are up to date with respect to version 3.0.0. Any additional comments would be welcome.