This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Display Filter for Unique Source/Destination IP and Protocol

0

I need to create a display filter that does the following: For each source IP address, list all destination IP addresses, but only list unique protocols for each destination IP address.

In other words, I want to see only one row of data for each unique: ip.src = X, ip.dst = Y, protocol = Z

I'd like to create this filter such that it covers all source IPs, so I don't have to create a separate filter for each source IP address.

I need to do the above for many PCAP files in "batch" mode. If this cannot be done in the Wireshark GUI, then I would like a command-line (tshark) solution.

asked 21 Aug '14, 13:03

moving2's gravatar image

moving2
16114
accept rate: 0%

edited 21 Aug '14, 13:08

One Answer:

0

I think you'll have to use tshark for this. One potential solution might be:

`tshark -r file.pcap -Y ip -T fields -e ip.src -e ip.dst -e _ws.col.Protocol | sort | uniq`

Note: If you want protocol numbers instead of protocol names, substitute -e ip.proto for _ws.col.Protocol, or use both if you prefer that.

answered 25 Aug '14, 12:47

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%