Hello everyone - longtime Ethereal/Wireshark user, first time poster. I'm banging my head against a wall here. I've always been thrilled with Wireshark's in-depth statistical analysis and ways of looking at connections. That being said, I have something very simple I want to do and can't figure out how to do it.
Wireshark will group packets by "TCP endpoints", in other words pairings of IP addresses and TCP destination ports. It will tell me how many packets and bytes went IP address X on port Y. That's great and all, but what I want to know is how many packets and bytes went to port Y REGARDLESS of the IP. So basically a list like: TCP.DSTPORT COUNT BYTES 80 9234 142352 25 448 342344 443 85 99834 and so on. I have a large packet dump of all the traffic on my network from a short period of time, and I want to see which destination ports the traffic was going to the most so I can do a little traffic profiling. This seems like such a common thing that people would want to do - as advanced as some of Wireshark's capabilities are, I find it hard to believe that it doesn't do it. It's basically like the "Endpoints" capability but removing the IP addresses so I don't have to manually total up the lines where the destination port matches. The "Protocol Hierarchy" is close, but it just seems to dump a lot of packets it doesn't know what to do with under "Data", so that doesn't really help me. If Wireshark doesn't do it, are there any tools that do? I could probably use something like Snort/BASE to import the dump file into a SQL database and then do a SELECT tcp.dstport, COUNT(tcp.dstport) FROM dump GROUP BY tcp.dstport, but that's a bit of a pain - especially with a large dump file. I'm hoping Wireshark or another light-weight tool can do it without the need for parsing the data into a SQL database first. Thanks to anyone who can help! Brad Johnson _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
