![]() It will create a table that will list all conversation that could be seen in the capture. It helps us with the statistics is the “conversation”. Let’s move on to the next option which is quite similar to the previous option. tshark -r wlan.pcap -z endpoints,wlan -q | head This table is by default sorted according to the total number of frames. The table like the one generated in the image shown below is generated by picking up single line form each conversation and displayed against the number of packets per byte in each direction as well as the total number of packets per byte. In case that we have specified the filter option then the statistics calculations are done for that particular specified filter. UDP/IP socket pairs Both IPv4 and IPv6 supported TCP/IP socket pairs Both IPv4 and IPv6 supported The list of Endpoints that are supported by TShark is: Sno. The type function which can be used with the endpoint option will specify the endpoint type for which we want to generate the statistics. It will create a table that will list all endpoints that could be seen in the capture. Our next option which helps us with the statistics is the “endpoints”. Tshark -r wlan.pcap -z io,phs -q -2 -R udp Here we can see two different analysis one of them is first-pass analysis and the latter is the two-pass analysis. This causes TShark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, it also permits reassembly frame dependencies to be calculated correctly. The “-2” parameter performs a two-pass analysis. Note that forward-looking fields such as ‘response in frame #’ cannot be used with this filter since they will not have been calculated when this filter is applied. This parameter makes sense with multiple passes. Packets which are not matching the filter are not considered for future passes. tshark -r wlan.pcap -z io,phsĭuring the first pass analysis of the packet, the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) has to be applied. Here we can observe that we have the frames count, size of packets in bytes and the Protocol used for the transmission. ![]() Then we will be taking the traffic from the file, and then sort the data into a Protocol Hierarchy. For our demonstration, we first captured some traffic and wrote the contents on a pcap file using the techniques that we learned in part 1 of this article series. But if a specific filter is provided than the TShark will calculate statistics for those packets that match the filter provided by the user. In the case where no filter is given after the “io,phs” option, the statistics will be calculated for all the packets in the scope. Using the TShark we can create a Protocol based Hierarchy Statistics listing the number of packets and bytes using the “io,phs” option in the “-z” parameter. This gives us an exhaustive list of various supported formats as shown in the image given below. Initially, to learn about all the different options inside the “-z” parameter, we will be running the TShark with the “-z” parameter followed by the help keyword. To accomplish this, we will be using the “-z” parameter with TShark. TShark collects different types of Statistics and displays their result after finishing the reading of the captured file. We will understand different ways in which we can sort our traffic capture so that we can analyse it faster and effectively. In this part, we will the Statistical Functionalities of TShark. ![]() In the previous article, we learned about the basic functionalities of this wonderful tool called TShark.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |