I have a single packet capture (acquired via tcpdump) that contains flow records between an exporter and a collector.
I want to determine throughput across a given interface using the bytes (octets) field in the v9 record. I have filtered down to the network that I want like so:
tshark -r input.pcap -Y "ip.src == X.X.X.X" -F pcap -w filtered.pcap
I further filtered to the interface that I needed like so:
tshark -r filtered.pcap -Y "cflow.inputint == Y" -F pcap -w filtered2.pcap
I'm lost after that. Is there a better tool to aggregate across the flows to get throughput?
Any help would be greatly appreciated!
You may try to print netflow fields and then process the results.
For example:
tshark -T fields -e cflow.version -e cflow.srcaddr -e cflow.dstaddr -e cflow.octets -e cflow.timedelta -e cflow.abstimestart
Field names are visible in wireshark status bar when you select packet details.
Better option:
install or compile https://github.com/phaag/nfdump with --enable-readpcap flag.
process your pcap nfcapd -f <path to your pcap file> -l <path to output directory> -T all
count statistics nfdump -o extended -r <path to output directory>