Programmatic Analysis of Wireshark Log Files using C#
The other day, I wanted to perform some Wireshark filtering on a .pcap file to obtain a count of the packets found for a large number of IP addresses. I wanted to find out the number of tcp retransmissions for a specified IP address, as well as the count of TCP resets for each IP address. And finally, I wanted to get a count of the number of "keep alive" packets for each IP address. Okay, so this is pretty easy to perform in Wireshark . Just filter the traffic with the following filters: tcp.analysis.retransmission && ip.addr == 1.2.3.4 tcp.flags.reset == 1 && ip.addr == 1.2.3.4 tcp.analysis.keep_alive && ip.addr == 1.2.3.4 But I didn't want to go through the user interface for hundreds of different IP addresses. I wanted to do this programatically, in code. Now, there are a couple of different approaches you can take here depending on your requirements. At first I used PcapDotNet . This is a great library and you can walk the packets