How to use tshark or tcpdump to calculate bytes transmitted
Solution 1
awk can sum up a column of numbers. Something like this should do the trick.
Assuming that the output of your tshark is in foo.txt:
$ cat foo.txt | awk '{ sum += $3 } END { print sum }'
You could also pipe the output of "grep" directly to awk, and it would work in a similar fashion.
Solution 2
You can rely purely on tshark to do this, by using the statistics option with the IO stat calculator :
tshark -r pcapfile -z io,stat,0,"SUM(frame.len)frame.len && ip.src == 192.168.1.1 && ip.proto == 6"
This will show a board where the SUM column is the data you are looking for.
Related videos on Youtube
23 : 20
10 : 38
15 : 48
01 : 42
01 : 58
user53029
Updated on September 18, 2022Comments
-
user53029 over 1 year
I am using this command with tshark:
tshark -r pcapfile "tcp and ip.src==192.168.1.1" -T text -V -x | grep 'Total Length'This essentially parses the pcap for only connections from the source ip and looks for the total length in bytes from each packet. I get output like this:
Total Length: 125 Total Length: 210 Total Length: 40 Total Length: 125 > etc, etc....What I need to do is take the numbers from Total Length and add them up so I can get an idea of how much data was passed over the wire in the time frame of the pcap from a single IP.
Is there a command I can add on the end of the one I am using to do this? Or is there a way I can direct to stdout and then pipe that to a program that can parse and calculate what I am after? Anyone know of a similar command with tcpdump that can do this?