I am performing a Wireshark capture for 24 hours at a network endpoint. During these 24 hours, the endpoint communicates with multiple other endpoints, for example IP addresses A through K. The endpoint where the capture is being performed (my endpoint) constantly communicates with endpoints with IP addresses A through J throughout the 24 hours. However, my endpoint only communicates with IP address K only a single time during the 24 hours. For example: 1. IP address A = 5 TCP connections during the 24 hours 2. IP address B = 23 TCP connections during the 24 hours 3. IP address C = 15 UDP connections during the 24 hours And so forth until: IP address K = 1 TCP connection during the 24 hours Is there a way to display the number of TCP/UDP connections per IP address in Wireshark? Is there a way to remove (create a filter) to remove traffic from an IP address in which only a single TCP/UDP connection was made? asked 20 Aug '13, 12:22  Amato_C |
One Answer:
Not directly. What you can do is this:
Then count the amount of connections manually from your client -> A,B,C,D,E etc. You can do the same on the CLI
Regards answered 21 Aug '13, 03:35  Kurt Knochner ♦ |
Thank you for the reply. I modified your suggestion to include tcp and udp ports: tshark -nr input.pcap -q -z conv,tcp tshark -nr input.pcap -q -z conv,udp
I combined the outputs to create one table that includes all the TCP and UDP ports. After doing some post-analysis, I was able to determine which IP addresses utilized multiple ports and therefore could no be a single TCP/UDP connection.
However, I have another issue. For NTP, the above analysis is invalid since port 123 is used for both source/destination ports and my endpoint performs numerous NTP transfers.
Is there a way to output (using tshark) the time when a certain IP address is being used?
For example: IP address A is access at 12400, 26800, 41200, etc..