Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] Statistics grouped by port?

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Brad Johnson <bjohnson@xxxxxxxxxxxxxx>
Date: Tue, 6 Feb 2007 15:41:08 -0500 (EST)

Hello everyone - longtime Ethereal/Wireshark user, first time poster.

I'm banging my head against a wall here. I've always been thrilled with
Wireshark's in-depth statistical analysis and ways of looking at
connections. That being said, I have something very simple I want to do
and can't figure out how to do it.

Wireshark will group packets by "TCP endpoints", in other words
pairings of IP addresses and TCP destination ports. It will tell me how
many packets and bytes went IP address X on port Y. That's great
and all, but what I want to know is how many packets and bytes went to
port Y REGARDLESS of the IP. So basically a list like:

TCP.DSTPORT       COUNT      BYTES
80                9234       142352
25                448        342344
443               85         99834

and so on. I have a large packet dump of all the traffic on my network
from a short period of time, and I want to see which destination ports the
traffic was going to the most so I can do a little traffic profiling. This
seems like such a common thing that people would want to do - as advanced
as some of Wireshark's capabilities are, I find it hard to believe that it
doesn't do it. It's basically like the "Endpoints" capability but removing
the IP addresses so I don't have to manually total up the lines where the
destination port matches.

The "Protocol Hierarchy" is close, but it just seems to dump a lot of
packets it doesn't know what to do with under "Data", so that doesn't
really help me.

If Wireshark doesn't do it, are there any tools that do? I could probably
use something like Snort/BASE to import the dump file into a SQL
database and then do a SELECT tcp.dstport, COUNT(tcp.dstport) FROM dump
GROUP BY tcp.dstport, but that's a bit of a pain - especially with a large
dump file. I'm hoping Wireshark or another light-weight tool can do it
without the need for parsing the data into a SQL database first.

Thanks to anyone who can help!

Brad Johnson
  • Follow-Ups:
    • Re: [Wireshark-users] Statistics grouped by port?
      • From: Stephen Fisher
  • Prev by Date: Re: [Wireshark-users] How to export / print packets as displayed, not sorted by column "No"
  • Next by Date: Re: [Wireshark-users] How to export / print packets as displayed, not sorted by column "No"
  • Previous by thread: Re: [Wireshark-users] How to export / print packets as displayed, not sorted by column "No"
  • Next by thread: Re: [Wireshark-users] Statistics grouped by port?
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation