Wireshark-users: Re: [Wireshark-users] how to analyze the pcap file
From: "Rob MacKenzie" <rmackenzie@xxxxxxx>
Date: Wed, 11 Jun 2008 10:51:29 -0400
Maybe you are talking about the Link Type? This is located in the Pcap Global header at address 0x14 from the start of the file. This can be quickly read by any programming language that reads binary files. http://wiki.wireshark.org/Development/LibpcapFileFormat That has all the information I used to make my own pcap readers and writers. Rob MacKenzie Advanced Connectivity Developer -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok Sent: June 11, 2008 3:08 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] how to analyze the pcap file On Wed, Jun 11, 2008 at 01:50:32PM +0800, ?????? wrote: > recently i am trying to analyze the pcap file in order to konw > the protocol'type in the content of the file > can you tell me some programe that can do the above?thanks If I understand you correctly, you want to know what protocols are in a particular tracefile without having to open it in your protocol analyser? Well, without reading the file, this is not possible, there are no protocol statistics inside the pcap file. You will need to read the whole file to build the statistics. tshark (which comes with wireshark) is capable of doing this: [sake@vm-fedora8 trunk]$ tshark -r file.cap -qz io,phs =================================================================== Protocol Hierarchy Statistics Filter: frame frame frames:79679 bytes:13589551 eth frames:79679 bytes:13589551 ip frames:79673 bytes:13589203 tcp frames:79673 bytes:13589203 http frames:9113 bytes:4954211 malformed frames:82 bytes:7156 image-gif frames:1519 bytes:1240883 data-text-lines frames:160 bytes:123448 media frames:51 bytes:32775 ssl frames:8890 bytes:3553534 malformed frames:764 bytes:75674 tcp.segments frames:932 bytes:491318 http frames:531 bytes:46571 data-text-lines frames:512 bytes:34695 ssl frames:401 bytes:444747 ssl frames:1 bytes:1030 arp frames:6 bytes:348 =================================================================== [sake@vm-fedora8 trunk]$ Is this what you are looking for? Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-users --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
- Follow-Ups:
- Re: [Wireshark-users] how to analyze the pcap file
- From: Guy Harris
- Re: [Wireshark-users] how to analyze the pcap file
- References:
- [Wireshark-users] how to analyze the pcap file
- From: 余洪航
- Re: [Wireshark-users] how to analyze the pcap file
- From: Sake Blok
- [Wireshark-users] how to analyze the pcap file
- Prev by Date: Re: [Wireshark-users] Schedule Wireshark to auto start
- Next by Date: Re: [Wireshark-users] how to decrypt TLSv1 traffic
- Previous by thread: Re: [Wireshark-users] how to analyze the pcap file
- Next by thread: Re: [Wireshark-users] how to analyze the pcap file
- Index(es):
- Get Wireshark
- Download
- Code of Conduct