This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dump list of unique IP’s

0
1

Im getting ddos'd by a large group of servers, large enough that sorting IP's human wise is too large but small enough that I'd like to block all of them. My one second capture has each one hitting ~50-100 times and its consistently from these IP's (It's not from the same IP range)

Any way i could dump these into text?

asked 24 Jul '12, 11:45

ryanb213's gravatar image

ryanb213
0121
accept rate: 0%


3 Answers:

2

The following will create a list of Cisco ACL lines to block the IP's, if you need it in another syntax, I'm sure you will manage :-)

tshark -r file.cap -R "tcp.flags==2" -T fields -e ip.src |\
  sort |\
  uniq |\
  awk '{printf("deny ip host %s any\n",$1)}'

Hope this helps :-)

answered 24 Jul '12, 13:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 24 Jul '12, 16:18

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

1

You could use the statistics/endpoint function. There is a copy button that allows you to copy the list to the clipboard, from which you can paste it to a text editor.

answered 24 Jul '12, 11:57

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you, im new to wireshark but that solved my exact problem. I was getting saturated on my gbps line but i only needed 6 filter rules to block it.

Thank you!

(24 Jul '12, 14:08) ryanb213

0

Please check if one of the following helps:

tshark -r input.cap.pcapng -q -z hosts
tshark -r input.cap.pcapng -q -z ip_hosts,tree

windows: tshark -r input.cap.pcapng -q -z conv,tcp | find "192.168.x.x"
unix: tshark -r input.cap.pcapng -q -z conv,tcp | grep "192.168.x.x"

Where 192.168.x.x is the IP address of your attacked server.

Regards
Kurt

answered 24 Jul '12, 12:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 24 Jul '12, 12:12