At my work we have a computer running Dumpcap to capture LAN traffic into hourly captures. What is the easiest way via command line and with what tool to extract a list of IP addresses from the .cap files(post capture) and output them to a text file. Looking to output all Destination and Source IP addresses, and if possible filter out all local 192.168.x.x. traffic IP's. Hoping to have a single IP per line in the text file. Any help would be much appreciated, thanks.
Maybe this is possible: tshark -r input.cap -w output.txt -R "Some type of filter here"
Our use case: We are hoping to compare this output text file of IP addresses to a list of IP from various malware resource groups who post IP's associated with the most current C&C servers and malware hoping to alert us of an infection by one of our users via email upon a match. It will be ran via a batch file hence the command line method hourly after an hourly capture has been completed.
asked 22 Nov '14, 16:52
edited 22 Nov '14, 17:11
I have found my answer after many hours of trial and error....
To get destination and source IP addresses from a capture using tshark I used the command below:
So, after figuring this out I incorporated this into a powershell script to sort, get unique list of destination IP addresses(decided to only use destination -e ip.dst), and to filter out any 192.168.x.x traffic IP's. Here is my powershell script...
A run through:
I have dumpcap running doing a round robin of two one hour captures in a folder labeled “capturetest”, script looks in the folder for a file with the .cap extension, finds a .cap file with the last write time and moves it to a folder called, “target1”.
Then once moved to target1 the cap file get renamed to “capture.cap”
Then tshark does it thing to export out destination IP addresses to a text file called, “ip.txt”
Now that we have a list of destination IP’s we need to get rid of duplicates IP’s and filter out any 192.168.x.x traffic. This will be output to “match.txt”
Now the match.txt file gets moved to a server share where another script compares match.txt to another text file which is a blacklist compiled from various different sources of malicious and compromised IP’s.
Then Since I have this powershell script running as a scheduled task hourly we need to do some cleanup just to be tidy.
Edit: To run tshark as it is scripted, you will need to add tshark’s path to your environment variables. This script is running on Window 7 Pro with Powershell v2. Here’s a how to: http://www.computerhope.com/issues/ch000549.htm
answered 13 Dec ‘14, 21:21
edited 25 Aug ‘17, 18:23
It's possible, but it won't do what you want - all a filter does is control which packets to process; it doesn't affect the format of the output. Furthermore,
It's not the most convenient, but you could try doing
That will print out, to the standard output, a list of all source and destination IP addresses in the file, along with some statistics about the traffic to and from each of the hosts. If you just want a list of addresses, you'll have to run it through another program to filter out all the headers, etc.
answered 23 Nov '14, 00:15
Guy Harris ♦♦
edited 23 Nov '14, 00:16