Wireshark-users: Re: [Wireshark-users] Extracting the no. of ports in a pcap
Hi Nitin,
You can use the option -T fields to create a .csv file:
$ tshark -r test.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport
-E header=y > test.csv
ip.src tcp.srcport ip.dst tcp.dstport
10.0.1.2 1337 10.0.177.195 80
10.0.177.195 80 10.0.1.2 1337
10.0.1.2 1337 10.0.177.195 80
Or have a look at TShark statistics:
$ tshark -r test.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | |
-> | | Total |
| Frames Bytes | | Frames
Bytes | | Frames Bytes |
10.0.1.2:1386 <-> 10.0.220.20:80 111 142403 57 3618
168 146021
10.0.1.2:1367 <-> 10.0.220.20:80 54 73813 30 2061
84 75874
10.0.1.2:1344 <-> 10.0.178.11:80 43 57501 29 3622
72 61123
See the man-page for more information:
http://www.wireshark.org/docs/man-pages/tshark.html
Hope this helps
Joke
On Sat, 20 Aug 2011 11:11:24 +0530 NITIN GOYAL wrote:
>Hi
>
>I have a big pcap which i want to convert into pdml format. This pcap have
>multiple sessions on different ports on a combination of Src and Dst. IP.
>
>Like
>10.x.x.x [port1] 172.0.0.1 [port y]
>10.x.x.x [port2] 172.0.0.1 [port y]
>10.x.x.x [port3] 172.0.0.1 [port y]
>10.x.x.x [port4] 172.0.0.1 [port y]
>
>Now, is there any way, i can get the numbers of ports and their list before
>i start making the pdml for each port. SO, i can call tshark.exe in a
>multi-threaded program which call multiple instances of tshark for different
>ports and i get multiple pdml files for multiple ports simultaneously.
>
>Guys, can somebody give my any advice for the things explained above.
>
>Thanks
>Nitin
