当我使用以下命令分析file.pcap时
tshark -r file.pcap -T fields -E Separator=' ' -e ip.src -e ip.len
我得到了这样的结果
IP ADDRESS BYTES
---------------------
ip address 1 25
ip address 2 56
ip address 1 78
ip address 3 100
结果我想要
IP ADDRESS TOTAL AMOUNT OF BYTES
---------------------------------------------------------
ip address 1 whole amount of byte sent by ip address 1
ip address 2 whole amount of byte sent by ip address 2
ip address 3 whole amount of byte sent by ip address 3
有没有办法产生这个结果?我的示例pcap文件的行数超过5,400,000,这就是我需要命令的原因。
我用命令,
tshark -r file.pcap -g -z enpoints,ip > output.dat
然后,
cat output.dat
结果
Ip address -> Total packets, Total bytes, sent packets, sent bytes, received packets, received bytes
然后按照命令执行命令以获得前10个IP地址,
cat output.dat | sort -k 3,3nr | head -10
通过此命令,它按降序对列3进行排序,以便我们可以获得具有最大数据输入和输出的前十个IP地址。