This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Eliminate same source ip address going to dns server

0

I'm trying to isolate who is still hitting our old dns server and a bunch of packets left over after running editcap -p, clearing bad requests, and broadcast traffic. I see the same IP hitting the dns server but with different requests and/or packets. How do I keep the first time the source was captured and deleted the duplicated source ip addresses? Is there a way to clear duplicated source ip addresses instead of packets?

Thanks,

asked 21 Oct '14, 12:58

xxlunarxx's gravatar image

xxlunarxx
11113
accept rate: 0%

One Answer:

1

If you want a list of unique IP addresses you might want to use tshark with the "-T fields" parameter instead, and using the "ip.src" field, like

tshark -r "yourtrace.pcapng" -T fields -e ip.src | sort | uniq

You need the unix style command line tools "sort" and "uniq" of course, or in your case at least "uniq".

Or, you could just use Wireshark, filter on DNS and use the endpoint statistics to list all IP addresses.

answered 21 Oct '14, 13:07

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 21 Oct '14, 13:09

what kind of filter can i use in wireshark that would be the same as the 'uniq' option. I'm running wireshark on our old dns server which is windows.

(21 Oct '14, 14:24) xxlunarxx

This line worked. Thanks mate.

(21 Nov '14, 07:36) xxlunarxx