Bro is an apt tool for connection-oriented analysis. To find the number of packets per flow, you run simply run Bro on the trace and extract the value from the logs:

bro -r trace.pcap
bro-cut id.orig_h id.orig_p id.resp_h id.resp_p orig_pkts resp_pkts < conn.log \
    | awk '$5+$6 > 100 {print $1,$2,$3,$4,$5,$6}' \
    | sort -rn -k 5 \
    | head

This gives the following output:

192.168.1.105 49325 137.226.34.227 80 73568 146244
192.168.1.105 49547 198.189.255.74 80 16764 57098
192.168.1.105 49531 198.189.255.74 80 5186 14843
192.168.1.105 49255 198.189.255.73 80 4749 32164
192.168.1.104 1422 69.147.86.184 80 2657 2656
192.168.1.105 49251 198.189.255.74 80 2254 13854
192.168.1.1 626 224.0.0.1 626 2175 0
192.168.1.105 49513 198.189.255.82 80 2010 3852
192.168.1.103 2026 151.207.243.129 80 1953 2570
192.168.1.105 49330 143.166.11.10 64334 1514 3101

The tool bro-cut ships with Bro and provides a convenient way to extract certain named columns from the logs. For this task, you want:

• id.orig_h: IP of the connection originator (source)
• id.orig_p: Transport-layer port of the connection originator (source)
• id.resp_h: IP of the connection responder (destination)
• id.resp_p: Transport-layer port of the connection responder (source)
• orig_pkts: Number of packets sent by the originator
• resp_pkts: Number of packets sent by the responder

Note the awk filter expression:

awk '$5+$6 > 100 {print ...}'

It restricts the output to those connections that have a total number of packets greater than 100.

Unless you have fixed-size packets, I encourage you to also investigate other metrics, such as packet size (IP or TCP payload). These are readily in the connection logs via the orig_bytes and resp_bytes columns.