Find unique packet lengths from a Wireshark dump using Tshark

Some days back, I had a requirement to identify the unique packet lengths present in a Wireshark dump. As an example,  lets say the dump contains 5000 packets captured in all. Out of these lets say 4000 packets are of size 64 bytes and 1000 packets are of size 100 bytes. I am not interested in the number 4000/1000 -- I only want the information that the total number of unique packet lengths present in the dump are 2 which are 64 and 100 bytes respectively.

Normally, I would manually scroll the dump keeping track of the lengths captured and than come up with the required information. However, in this case the number of packets in the dump were in order of millions and it was not at all feasible to do the job manually.

So I was on a lookout for some way to achieve my objective. Finally, I could work out a solution which served the purpose for me that I am sharing below.

Lets say the .cap file generated by Wireshark is test.cap( For illustration, I have chosen a test.cap file which contains dump of very few packets). When you install Wireshark, there is another tool installed with it called Tshark.exe. The location would typically be C:\Program Files\WireShark\tshark.exe. Lets say you copy your test.cap file in the above folder. Now you can give the following command on the Windows command line prompt inside the above folder.

tshark.exe -r test.cap -T fields -e frame.len

Using -T option, you can specify that you want some specific fields in the command output and those specific fields can be mentioned using the -e option. In the above case, I specified that field as length of the captured frame( and in fact that is the only field I specified ). The output looks as follows.

As you can notice, there are multiple packets captured corresponding to length 60/64 bytes. The good thing about this output is that it can be copy-pasted in a text file on a Linux/Unix PC. Lets call the file in which we paste the above output as LenDump.txt. Now the following command can be given on a Linux/Unix PC, that will show unique packet lengths from the dump as desired.

cat LenDump.txt | sort | uniq

The above commands removes multiple occurrences of the same length from the dump. What you finally get is a neat sorted output just listing the unique packet lengths that you desired

Do share if you think there could be an easier way to do this.

Inficone runs on the Genesis Framework

Genesis Framework
Genesis empowers you to quickly and easily build incredible websites with WordPress. Whether you're a novice or advanced developer, Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go. It's that simple - start using Genesis now!
Follow On Twitter
Follow On Facebook
Follow Using RSS
Follow Using Email
Tweet This Post
Share Post On Facebook
Digg This Post
Stumble Upon

Speak Your Mind


This blog is kept spam free by WP-SpamFree.