This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter to remove non-periodic events

0

I am performing a Wireshark capture for 24 hours at a network endpoint. During these 24 hours, the endpoint communicates with multiple other endpoints, for example IP addresses A through K. The endpoint where the capture is being performed (my endpoint) constantly communicates with endpoints with IP addresses A through J throughout the 24 hours. However, my endpoint only communicates with IP address K only a single time during the 24 hours. For example: 1. IP address A = 5 TCP connections during the 24 hours 2. IP address B = 23 TCP connections during the 24 hours 3. IP address C = 15 UDP connections during the 24 hours And so forth until: IP address K = 1 TCP connection during the 24 hours

Is there a way to display the number of TCP/UDP connections per IP address in Wireshark? Is there a way to remove (create a filter) to remove traffic from an IP address in which only a single TCP/UDP connection was made?

asked 20 Aug '13, 12:22

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%


One Answer:

0

Is there a way to display the number of TCP/UDP connections per IP address in Wireshark?

Not directly. What you can do is this:

Statistics -> Conversations -> IP

Then count the amount of connections manually from your client -> A,B,C,D,E etc.

You can do the same on the CLI

tshark -nr input.pcap -q -z conv,ip

Regards
Kurt

answered 21 Aug '13, 03:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you for the reply. I modified your suggestion to include tcp and udp ports: tshark -nr input.pcap -q -z conv,tcp tshark -nr input.pcap -q -z conv,udp

I combined the outputs to create one table that includes all the TCP and UDP ports. After doing some post-analysis, I was able to determine which IP addresses utilized multiple ports and therefore could no be a single TCP/UDP connection.

However, I have another issue. For NTP, the above analysis is invalid since port 123 is used for both source/destination ports and my endpoint performs numerous NTP transfers.

Is there a way to output (using tshark) the time when a certain IP address is being used?

For example: IP address A is access at 12400, 26800, 41200, etc..

(21 Aug '13, 12:14) Amato_C