Find the top 5 (according to number of packets sent) source IP addresses

I think if you reorganize the output from tshark using -T fields it's much easier. I was able to accomplish what you want like so:

$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92  10.0.2.2
92  10.0.2.2
92  10.0.2.2
100 10.0.2.15
156 10.0.2.15

tshark fields

You can use this command to get a list of all the fields:

$ tshark -G field

But I found that a bit difficult to read. If you want to understand the columns in the -G field output, they're described here: tshark - Dump and analyze network traffic:

 * Header Fields
 * -------------
 * Field 1 = 'F'
 * Field 2 = descriptive field name
 * Field 3 = field abbreviation
 * Field 4 = type (textual representation of the ftenum type)
 * Field 5 = parent protocol abbreviation
 * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
 * Field 7 = bitmask: format: hex: 0x....
 * Field 8 = blurb describing field

You can use this grep to filter the output if you're brave:

$ tshark -G fields | grep -P '\s+(ip.src|frame.len)\s+'
F   Frame length on the wire    frame.len   FT_UINT32   frame   BASE_DEC    0x0
F   Source  ip.src  FT_IPv4 ip      0x0

References

• enter link description here
• tshark tutorial and filter examples
• Counting IP occurrences in PCAP file using tshark
• Specific IP address display filter using tshark