tshark statistic inform, print protocol hierarchy

Why does Protocol Hierarchy have less packets counts than that of pcap file?
https://www.wireshark.org/lists/wireshark-users/200905/msg00146.html
https://www.wireshark.org/docs/wsug_html_chunked/ChStatHierarchy.html
Packets usually contain multiple protocols. As a result more than one protocol will be counted for each packet. Example: In the screenshot IP has 99.9% and TCP 98.5% (which is together much more than 100%).
Protocol layers can consist of packets that won’t contain any higher layer protocol, so the sum of all higher layer packets may not sum up to the protocols packet count. Example: In the screenshot TCP has 98.5% but the sum of the subprotocols (TLS, HTTP, etc) is much less. This can be caused by continuation frames, TCP protocol overhead, and other undissected data.
A single packet can contain the same protocol more than once. In this case, the protocol is counted more than once. For example ICMP replies and many tunneling protocols will carry more than one IP header.

 

 

 

>#tshark.exe -qz io,phs -r file-00018.cap

Wireshark-users: Re: [Wireshark-users] tshark protocol hierarchy statistics frames count

 

Have you tried tshark -r test.cap -q -z io,phs
It will give you a hierarchical list of protocols, not sure if it will suite you needs.
===================================================================
Protocol Hierarchy Statistics
Filter: frame

frame                                    frames:433 bytes:290520
  eth                                    frames:433 bytes:290520
    ip                                   frames:433 bytes:290520
      tcp                                frames:423 bytes:289464
        http                             frames:188 bytes:267285
        ssh                              frames:24 bytes:7968
        ssl                              frames:2 bytes:237
      udp                                frames:10 bytes:1056
        data                             frames:6 bytes:355
        ntp                              frames:2 bytes:180
        nbdgm                            frames:2 bytes:521
          smb                            frames:2 bytes:521
            mailslot                     frames:2 bytes:521
              browser                    frames:2 bytes:521
===================================================================
To get just the list of protocols you could do some commandline KungFu.
tshark -r test.cap -z io,phs -q | tr -s ' ' | cut -f 2 -d ' ' | tail -n +7 | head -n -1
which will give you
eth
ip
tcp
http
ssh
ssl
udp
data
ntp
nbdgm
smb
mailslot
browser
https://security.stackexchange.com/questions/3607/extract-from-pcap-all-protocols-found

I think that -Tfields -eframe.protocols would be the closest thing you'll get.
The output looks something like this:
eth:ip:tcp:http
eth:ip:tcp
eth:ip:tcp:http:media
eth:ip:tcp
eth:ip:udp:nbdgm:smb:browser
eth:ip:tcp
eth:arp
eth:arp
eth:ipv6:udp:http
eth:ip:udp:http
As it can be seen the information displayed will vary a bit depending on which protocol dissector gets to play. So you'll need to do some post-processing to cut the parts you don't need and/or dedup (for instance using @Mark's suggestion in the comment).

Simply use I/O stasistics for that:
c:\tshark -r tracefile.pcap -qz io,stat,0,ip.src==1.2.3.4,ip.dst==1.2.3.4,tcp.dstport==80

The tshark manual page lists all the options for tshark, you'll probably want to look at the '-T fields' with some '-e' options, e.g. '-T fields -e ip.src' to get a list of the source ip's, '-T fields -e ip.dst' for destination IP's and '-T fields -e tcp.dstport' for the destination port.


 

posted on 2018-11-18 02:57  Quinn-Yann  阅读(674)  评论(0编辑  收藏  举报