2

I have a single packet capture (acquired via tcpdump) that contains flow records between an exporter and a collector.

I want to determine throughput across a given interface using the bytes (octets) field in the v9 record. I have filtered down to the network that I want like so:

tshark -r input.pcap -Y "ip.src == X.X.X.X" -F pcap -w filtered.pcap

I further filtered to the interface that I needed like so:

tshark -r filtered.pcap -Y "cflow.inputint == Y" -F pcap -w filtered2.pcap

I'm lost after that. Is there a better tool to aggregate across the flows to get throughput?

Any help would be greatly appreciated!

cjphlo
  • 45
  • 4

1 Answers1

0

You may try to print netflow fields and then process the results.

For example:

tshark -T fields -e cflow.version -e cflow.srcaddr -e cflow.dstaddr -e cflow.octets -e cflow.timedelta -e cflow.abstimestart

Field names are visible in wireshark status bar when you select packet details.

Better option:

  1. install or compile https://github.com/phaag/nfdump with --enable-readpcap flag.

  2. process your pcap nfcapd -f <path to your pcap file> -l <path to output directory> -T all

  3. count statistics nfdump -o extended -r <path to output directory>

L.R.
  • 977
  • 6
  • 22
  • 1
    Sorry for the late reply, but I did something similar to this. I filtered my packets and then dumped them to JSON using `-e ... -T json` like in your example. I then used this file to post-process what I needed in Python. Thanks for the reply! – cjphlo Nov 20 '18 at 22:43