How to extract bandwidth usage from tcpdump capture file?

Hi, I've got a tcpdump capture file and am looking for a
utility that
will read the file and output either the average bandwidth
over an
interval of time or the number of bytes in that interval of
time.
tcptrace -xslice is almost perfect--the only problem is that
it only
counts TCP packets. I need the data for all packets in the
trace.

For those who aren't familiar with it, the output from
tcptrace
-xslice looks like:

date                segs    bytes  rexsegs rexbytes      new
  active
--------------- -------- -------- -------- -------- --------
--------
15:03:26.707663     1790   241521        8     4457       21
      21
15:03:41.707663     2875   799428        5     7281       32
      39
15:03:56.707663     2590   688734       19    11988       17
      34
15:04:11.707663     2856  1063850       16    18228       44
      52
15:04:26.707663     2188   550299        8     7696        6
      39

I only need the "date" and "bytes"
columns.
-- 
Name: Dave Huang         |  Mammal, mammal / their names are
called /
INet: khymazeotrope.org |  they raise a paw / the bat, the cat
/
FurryMUCK: Dahan         |  dolphin and dog / koala bear and
hog -- TMBG
Dahan: Hani G Y+C 31 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F-
Q+++ P+ B+ PA+ PL++

On Apr 5, 2007, at 5:44 PM, James K. Lowden wrote:
> You need averages over time.  I'm sure there are other
ways, but if it
> were me, I'd use sqlite3, believe it or not.  You can
import your text
> file, above, and use the database's time and avg()
functions to  
> compute
> your answer.

That'd be one way.... But a .cap file is a relatively
trivial file  
format.  There's a pcap_file_header and a pcap_pkthdr in
front of  
each packet in the file.  Find the first pcap_pkt hdr,
record the  
timestamp and len (see /usr/include/pcap.h) and you have the
 
equivalent of your tcptrace output.  Pump it into gnuplot
and you're  
done...

Should be <100 lines of code.

Make sure you use "tcpdump -s0" to generate the
.cap.

On Thu, Apr 05, 2007 at 07:44:00PM -0400, James K. Lowden
wrote:
> Dave, 
> 
> You need averages over time.  I'm sure there are other
ways, but if it
> were me, I'd use sqlite3, believe it or not.  You can
import your text
> file, above, and use the database's time and avg()
functions to compute
> your answer.  

Ah, I'm not looking for something to parse that text file;
I'm looking
for something that can generate something similar to that
text file,
given a tcpdump file.
-- 
Name: Dave Huang         |  Mammal, mammal / their names are
called /
INet: khymazeotrope.org |  they raise a paw / the bat, the cat
/
FurryMUCK: Dahan         |  dolphin and dog / koala bear and
hog -- TMBG
Dahan: Hani G Y+C 31 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F-
Q+++ P+ B+ PA+ PL++

On Thu, Apr 05, 2007 at 07:08:29PM -0600, Herb Peyerl
wrote:
> That'd be one way.... But a .cap file is a relatively
trivial file  
> format.  There's a pcap_file_header and a pcap_pkthdr
in front of  
> each packet in the file.  Find the first pcap_pkt hdr,
record the  
> timestamp and len (see /usr/include/pcap.h) and you
have the  
> equivalent of your tcptrace output.  Pump it into
gnuplot and you're  
> done...

So nobody's already done the work for me, huh?  OK, it
sounds like
I'll have to roll my own then.