Finding short or long TCP conversations tshark
I posted previously about finding suspiciously short TCP connection to find leads for problem determination. You can get the same TCP statistics from tshark, when file sizes are too unruly for transfer or loading in a GUI. tshark -r foo.cap -q -z conv,tcp The output is super-wide and not blogger.com friendly, but it includes TCP addresses, ports, bytes sent, and duration.