Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Can Wireshark query the captured data?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "John Martin" <John.Martin@xxxxxxxxx>
Date: Tue, 21 Oct 2008 16:06:12 -0400
Log parser 2.2 

http://www.microsoft.com/technet/scriptcenter/tools/logparser/lpfeatures
.mspx



-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
j.snelders@xxxxxxxxxx
Sent: Tuesday, October 21, 2008 3:16 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Can Wireshark query the captured data?

Hi Abdu,

You'll find a lot of usefull information in the user guide: 
http://www.wireshark.org/docs/wsug_html/

In a nutshell...
Add a column to display the packete length(bytes)
Edit - Preferences - User interface - Columns
Select : New
Properties:
Title: change the title to Length
Format: select Packete length(bytes)
Apply - OK


Use capture and/or display filters.
http://wiki.wireshark.org/CaptureFilters
http://wiki.wireshark.org/DisplayFilters

You can use a capture filter to capture only http traffic
Capture - Option - Capture filter
select: Filter name: HTTP TCP port (80)  Filter string: tcp port http

You can use filters to capture traffic to/from specific host:
capture filter:
to/from: host 192.168.100.44
to: dst host 192.168.100.44
from: src host 192.168.100.44

display filter:
to/from : ip.addr == 192.168.100.44 
to : ip.dst == 192.168.100.44
from : ip.src == 192.168.100.44


While capturing you for instance can look at:
Analyze - Expert Info Composite
Statistics - Conversations

In the "Conversations Window" you can right-click on a 
interesting conversation to apply a filter.

Hope this helps
Joan


On Tue, 21 Oct 2008 00:03:21 +0000 abdu bukres wrote:
> I have been using Wireshark in a simple usage looking at the data.
> 
> Can Wireshark be used to query the data a bit like SQL, something
like:
> List the top 10 ip addresses which caused the most number 
> of hits or tcp traffic during the last 10 minutes?
> 
> I don't know if Wireshark can capture number of bytes sent 
> out in http responses, so can it list which ip addresses are causing 
> a lot of outbound traffic?
> 
> I would like to query the data captured by Wireshark and 
> query it like a database. 
> 
> Simple examples can get me going fast.
> 
> If Wireshark can't do it, any ideas for other sniffers?

       


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube