This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am performing a Wireshark capture for 24 hours at a network endpoint. During these 24 hours, the endpoint communicates with multiple other endpoints, for example IP addresses A through K. The endpoint where the capture is being performed (my endpoint) constantly communicates with endpoints with IP addresses A through J throughout the 24 hours. However, my endpoint only communicates with IP address K only a single time during the 24 hours. For example: 1. IP address A = 5 TCP connections during the 24 hours 2. IP address B = 23 TCP connections during the 24 hours 3. IP address C = 15 UDP connections during the 24 hours And so forth until: IP address K = 1 TCP connection during the 24 hours

Is there a way to display the number of TCP/UDP connections per IP address in Wireshark? Is there a way to remove (create a filter) to remove traffic from an IP address in which only a single TCP/UDP connection was made?

asked 20 Aug '13, 12:22

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%


Is there a way to display the number of TCP/UDP connections per IP address in Wireshark?

Not directly. What you can do is this:

Statistics -> Conversations -> IP

Then count the amount of connections manually from your client -> A,B,C,D,E etc.

You can do the same on the CLI

tshark -nr input.pcap -q -z conv,ip

Regards
Kurt

permanent link

answered 21 Aug '13, 03:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you for the reply. I modified your suggestion to include tcp and udp ports: tshark -nr input.pcap -q -z conv,tcp tshark -nr input.pcap -q -z conv,udp

I combined the outputs to create one table that includes all the TCP and UDP ports. After doing some post-analysis, I was able to determine which IP addresses utilized multiple ports and therefore could no be a single TCP/UDP connection.

However, I have another issue. For NTP, the above analysis is invalid since port 123 is used for both source/destination ports and my endpoint performs numerous NTP transfers.

Is there a way to output (using tshark) the time when a certain IP address is being used?

For example: IP address A is access at 12400, 26800, 41200, etc..

(21 Aug '13, 12:14) Amato_C
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×3
×1

question asked: 20 Aug '13, 12:22

question was seen: 1,017 times

last updated: 21 Aug '13, 12:14

p​o​w​e​r​e​d by O​S​Q​A