This is a static archive of our old Q&A Site. Please post any new questions and answers at

Dump list of unique IP’s


Im getting ddos'd by a large group of servers, large enough that sorting IP's human wise is too large but small enough that I'd like to block all of them. My one second capture has each one hitting ~50-100 times and its consistently from these IP's (It's not from the same IP range)

Any way i could dump these into text?

asked 24 Jul '12, 11:45

ryanb213's gravatar image

accept rate: 0%

3 Answers:


The following will create a list of Cisco ACL lines to block the IP's, if you need it in another syntax, I'm sure you will manage :-)

tshark -r file.cap -R "tcp.flags==2" -T fields -e ip.src |\
  sort |\
  uniq |\
  awk '{printf("deny ip host %s any\n",$1)}'

Hope this helps :-)

answered 24 Jul '12, 13:58

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

edited 24 Jul '12, 16:18

cmaynard's gravatar image

cmaynard ♦♦


You could use the statistics/endpoint function. There is a copy button that allows you to copy the list to the clipboard, from which you can paste it to a text editor.

answered 24 Jul '12, 11:57

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Thank you, im new to wireshark but that solved my exact problem. I was getting saturated on my gbps line but i only needed 6 filter rules to block it.

Thank you!

(24 Jul '12, 14:08) ryanb213


Please check if one of the following helps:

tshark -r input.cap.pcapng -q -z hosts
tshark -r input.cap.pcapng -q -z ip_hosts,tree

windows: tshark -r input.cap.pcapng -q -z conv,tcp | find "192.168.x.x"
unix: tshark -r input.cap.pcapng -q -z conv,tcp | grep "192.168.x.x"

Where 192.168.x.x is the IP address of your attacked server.


answered 24 Jul '12, 12:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 24 Jul '12, 12:12