Best way to analyze pcap files from Wireshark?

Question

I've got 50-100MB pcap files captured from Wireshark and need to analyze where most of the traffic is going to/coming from.

What's the best way of doing this? Ideally I'd like to end up with an Excel csv file showing the top 50 or so IP addresses so I can sort and analyze.

not in front of my linux box to try but is there a way to have tshark analyze all the files at once? -r somefile.pcap somefile2.pcap somefile3.pcap? — Michael, Jun 21 '11 at 01:52

score 3 · Answer 1 · answered Jun 21 '11 at 00:05

You can also use tshark statistics:
Here are some examples:

$ tshark -r http.pcap -q -z conv,eth -z conv,ip -z conv,tcp
TCP Conversations
Filter:
                                               |             | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.128:1047  64.186.152.93:80           9      7834       7      1358      16      9192
192.168.108.128:1048  64.186.152.93:80           4      1868       4       623       8      2491
================================================================================
================================================================================
IPv4 Conversations
Filter:
                                               |             | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.128       64.186.152.93             13      9702      11      1981      24     11683
192.168.108.128       192.168.108.2              1       202       1        73       2       275
================================================================================
================================================================================
Ethernet Conversations
Filter:
                                               |             | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
00:0c:29:61:82:89     00:50:56:ee:98:59         14      9904      13      2096      27     12000
00:50:56:ee:98:59     ff:ff:ff:ff:ff:ff          0         0       1        60       1        60
================================================================================


$ tshark -r http.pcap -q -z conv,eth,eth.addr==00:0c:29:61:82:89 -z conv,ip,ip.addr==192.168.108.2 -z conv,tcp,ip.addr==64.186.152.93
================================================================================
TCP Conversations
Filter:ip.addr==64.186.152.93
                                               |             | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.128:1047  64.186.152.93:80           9      7834       7      1358      16      9192
192.168.108.128:1048  64.186.152.93:80           4      1868       4       623       8      2491
================================================================================
================================================================================
IPv4 Conversations
Filter:ip.addr==192.168.108.2
                                               |             | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.128       192.168.108.2              1       202       1        73       2       275
================================================================================
================================================================================
Ethernet Conversations
Filter:eth.addr==00:0c:29:61:82:89
                                               |             | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
00:0c:29:61:82:89     00:50:56:ee:98:59         14      9904      13      2096      27     12000
================================================================================

score 2 · Accepted Answer · answered Jun 16 '11 at 02:47

by source address

 tshark -T fields -e ip.src -r somefile.pcap

by dest address

 tshark -T fields -e ip.dst -r somefile.pcap

pipe either of those to | sort | uniq -c | sort -n | tail -50

you can get the top src/dst pairs with

tshark -T fields -e ip.src -e ip.dst -r somefile.pcap

To get a list of fields you can work with

tshark -G fields

(warning, wireshark has an overwhelming list of fields)

Best way to analyze pcap files from Wireshark?

2 Answers2