Why does Protocol Hierarchy have less packets counts than that of pcap file?
https://www.wireshark.org/lists/wireshark-users/200905/msg00146.html
https://www.wireshark.org/docs/wsug_html_chunked/ChStatHierarchy.html
Packets usually contain multiple protocols. As a result more than one protocol will be counted for each packet. Example: In the screenshot IP has 99.9% and TCP 98.5% (which is together much more than 100%).
Protocol layers can consist of packets that won’t contain any higher layer protocol, so the sum of all higher layer packets may not sum up to the protocols packet count. Example: In the screenshot TCP has 98.5% but the sum of the subprotocols (TLS, HTTP, etc) is much less. This can be caused by continuation frames, TCP protocol overhead, and other undissected data.
A single packet can contain the same protocol more than once. In this case, the protocol is counted more than once. For example ICMP replies and many tunneling protocols will carry more than one IP header.
>#tshark.exe -qz io,phs -r file-00018.cap
Wireshark-users: Re: [Wireshark-users] tshark protocol hierarchy statistics frames count
Have you tried tshark -r test.cap -q -z io,phs
It will give you a hierarchical list of protocols, not sure if it will suite you needs.
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:433 bytes:290520
eth frames:433 bytes:290520
ip frames:433 bytes:290520
tcp frames:423 bytes:289464
http frames:188 bytes:267285
ssh frames:24 bytes:7968
ssl frames:2 bytes:237
udp frames:10 bytes:1056
data frames:6 bytes:355
ntp frames:2 bytes:180
nbdgm frames:2 bytes:521
smb frames:2 bytes:521
mailslot frames:2 bytes:521
browser frames:2 bytes:521
===================================================================
To get just the list of protocols you could do some commandline KungFu.
tshark -r test.cap -z io,phs -q | tr -s ' ' | cut -f 2 -d ' ' | tail -n +7 | head -n -1
which will give you
eth
ip
tcp
http
ssh
ssl
udp
data
ntp
nbdgm
smb
mailslot
browser
https://security.stackexchange.com/questions/3607/extract-from-pcap-all-protocols-found
I think that -Tfields -eframe.protocols would be the closest thing you'll get.
The output looks something like this:
eth:ip:tcp:http
eth:ip:tcp
eth:ip:tcp:http:media
eth:ip:tcp
eth:ip:udp:nbdgm:smb:browser
eth:ip:tcp
eth:arp
eth:arp
eth:ipv6:udp:http
eth:ip:udp:http
As it can be seen the information displayed will vary a bit depending on which protocol dissector gets to play. So you'll need to do some post-processing to cut the parts you don't need and/or dedup (for instance using @Mark's suggestion in the comment).
Simply use I/O stasistics for that:
c:\tshark -r tracefile.pcap -qz io,stat,0,ip.src==1.2.3.4,ip.dst==1.2.3.4,tcp.dstport==80
The tshark manual page lists all the options for tshark, you'll probably want to look at the '-T fields' with some '-e' options, e.g. '-T fields -e ip.src' to get a list of the source ip's, '-T fields -e ip.dst' for destination IP's and '-T fields -e tcp.dstport' for the destination port.