This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

At my work we have a computer running Dumpcap to capture LAN traffic into hourly captures. What is the easiest way via command line and with what tool to extract a list of IP addresses from the .cap files(post capture) and output them to a text file. Looking to output all Destination and Source IP addresses, and if possible filter out all local 192.168.x.x. traffic IP's. Hoping to have a single IP per line in the text file. Any help would be much appreciated, thanks.

Maybe this is possible: tshark -r input.cap -w output.txt -R "Some type of filter here"

Our use case: We are hoping to compare this output text file of IP addresses to a list of IP from various malware resource groups who post IP's associated with the most current C&C servers and malware hoping to alert us of an infection by one of our users via email upon a match. It will be ran via a batch file hence the command line method hourly after an hourly capture has been completed.

asked 22 Nov '14, 16:52

zer0day's gravatar image

zer0day
217811
accept rate: 60%

edited 22 Nov '14, 17:11


I have found my answer after many hours of trial and error....

To get destination and source IP addresses from a capture using tshark I used the command below:

`tshark -r <input file> -T fields -e ip.dst -e ip.src > path\output.txt`

So, after figuring this out I incorporated this into a powershell script to sort, get unique list of destination IP addresses(decided to only use destination -e ip.dst), and to filter out any 192.168.x.x traffic IP's. Here is my powershell script...

gci C:\Users\User\Desktop\capturetest\*.cap | where {!$_.PSIsContainer} | sort LastWriteTime | select -f 1 | move -destination "C:\Users\User\Desktop\target1"

gci C:\Users\User\Desktop\target1 *.cap | rename-item -newname capture.cap

tshark -r C:\Users\User\Desktop\target1\capture.cap -T fields -e ip.dst > C:\Users\User\Desktop\target1\ip.txt

gc C:\Users\User\Desktop\target1\ip.txt | sort | get-unique | select-string -pattern "192.168" -notmatch | Out-File C:\Users\User\Desktop\target1\match.txt

gci C:\Users\User\Desktop\target1\match.txt | move -destination "\\192.168.1.4\folder\outbound"

Remove-Item C:\Users\User\Desktop\target1\ip.txt

Remove-Item C:\Users\User\Desktop\target1\capture.cap

A run through:

I have dumpcap running doing a round robin of two one hour captures in a folder labeled "capturetest", script looks in the folder for a file with the .cap extension, finds a .cap file with the last write time and moves it to a folder called, "target1".

gci C:\Users\User\Desktop\capturetest\*.cap | where {!$_.PSIsContainer} | sort LastWriteTime | select -f 1 | move -destination "C:\Users\User\Desktop\target1"

Then once moved to target1 the cap file get renamed to "capture.cap"

gci C:\Users\User\Desktop\target1 *.cap | rename-item -newname capture.cap

Then tshark does it thing to export out destination IP addresses to a text file called, "ip.txt"

tshark -r C:\Users\User\Desktop\target1\capture.cap -T fields -e ip.dst > C:\Users\User\Desktop\target1\ip.txt

Now that we have a list of destination IP's we need to get rid of duplicates IP's and filter out any 192.168.x.x traffic. This will be output to "match.txt"

gc C:\Users\User\Desktop\target1\ip.txt | sort | get-unique | select-string -pattern "192.168" -notmatch | Out-File C:\Users\User\Desktop\target1\match.txt

Now the match.txt file gets moved to a server share where another script compares match.txt to another text file which is a blacklist compiled from various different sources of malicious and compromised IP's.

gci C:\Users\User\Desktop\target1\match.txt | move -destination "\\192.168.1.4\folder\outbound"

Then Since I have this powershell script running as a scheduled task hourly we need to do some cleanup just to be tidy.

Remove-Item C:\Users\User\Desktop\target1\ip.txt

Remove-Item C:\Users\User\Desktop\target1\capture.cap

Edit: To run tshark as it is scripted, you will need to add tshark's path to your environment variables. This script is running on Window 7 Pro with Powershell v2. Here's a how to: http://www.computerhope.com/issues/ch000549.htm

permanent link

answered 13 Dec '14, 21:21

zer0day's gravatar image

zer0day
217811
accept rate: 60%

edited 25 Aug, 18:23

Maybe this is possible: tshark -r input.cap -w output.txt -R "Some type of filter here"

It's possible, but it won't do what you want - all a filter does is control which packets to process; it doesn't affect the format of the output. Furthermore, -w writes out a capture file, not arbitrary text.

It's not the most convenient, but you could try doing

tshark -q -r input.cap -z ip_hosts,tree

That will print out, to the standard output, a list of all source and destination IP addresses in the file, along with some statistics about the traffic to and from each of the hosts. If you just want a list of addresses, you'll have to run it through another program to filter out all the headers, etc.

permanent link

answered 23 Nov '14, 00:15

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335195
accept rate: 19%

edited 23 Nov '14, 00:16

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×178
×37
×31
×26
×22

question asked: 22 Nov '14, 16:52

question was seen: 8,034 times

last updated: 25 Aug, 18:23

p​o​w​e​r​e​d by O​S​Q​A