2

I am looking for a command line tool that will look at a capture file, tcpdump -w output, and give output equivalent to the information you get in the Wireshark conversations, and endpoint statistics.

To give you a little background, I have the output of a large capture (~3GB, in 40 files) that I can't easily transfer to a machine where I can run Wireshark, given the low bandwidth.

quanta
  • 50,327
  • 19
  • 152
  • 213
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • could you perhaps run a tshark or tcpdump filter on the files to reduce them to a more transferable size? – Michael Lowman Jan 07 '11 at 13:20
  • @Michael Lowman, I was already filtering, and they are still large. The link in question I am trying to monitor is a ~300kb/s link. Something was saturating the link, and I was trying to identify it. – Zoredache Jan 07 '11 at 18:09

2 Answers2

6

To expand on Niall's answer, you might try

tshark -r <capture file> -q -z conv,ip

The -q disables normal output and -z conv,ip dumps the IP conversation data. More information can be found in the man page and in Sake Blok's Sharkfest presentation.

Gerald Combs
  • 6,331
  • 23
  • 35
2

There is a command line component to wireshark called tshark which would do what you need. There's better instruction available here.

Unfortunately, endpoints seem to be only available in the GUI.

Another alternative might be to use X Forwarding to run Wireshark at the far side and forward the GUI to your local desktop. Without knowing what OS you're using on your desktop, I don't know how possible this will be.

UPDATE: More detail added as per comment request.

Niall Donegan
  • 3,859
  • 19
  • 17