This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to extract IP addresses from .cap file to text file?

0

At my work we have a computer running Dumpcap to capture LAN traffic into hourly captures. What is the easiest way via command line and with what tool to extract a list of IP addresses from the .cap files(post capture) and output them to a text file. Looking to output all Destination and Source IP addresses, and if possible filter out all local 192.168.x.x. traffic IP's. Hoping to have a single IP per line in the text file. Any help would be much appreciated, thanks.

Maybe this is possible: tshark -r input.cap -w output.txt -R "Some type of filter here"

Our use case: We are hoping to compare this output text file of IP addresses to a list of IP from various malware resource groups who post IP's associated with the most current C&C servers and malware hoping to alert us of an infection by one of our users via email upon a match. It will be ran via a batch file hence the command line method hourly after an hourly capture has been completed.

asked 22 Nov '14, 16:52

zer0day's gravatar image

zer0day
217811
accept rate: 60%

edited 22 Nov '14, 17:11


2 Answers:

0

I have found my answer after many hours of trial and error....

To get destination and source IP addresses from a capture using tshark I used the command below:

`tshark -r <input file> -T fields -e ip.dst -e ip.src > path\output.txt`

So, after figuring this out I incorporated this into a powershell script to sort, get unique list of destination IP addresses(decided to only use destination -e ip.dst), and to filter out any 192.168.x.x traffic IP's. Here is my powershell script...

gci C:\Users\User\Desktop\capturetest\*.cap | where {!$_.PSIsContainer} | sort LastWriteTime | select -f 1 | move -destination "C:\Users\User\Desktop\target1"

gci C:\Users\User\Desktop\target1 *.cap | rename-item -newname capture.cap

tshark -r C:\Users\User\Desktop\target1\capture.cap -T fields -e ip.dst > C:\Users\User\Desktop\target1\ip.txt

gc C:\Users\User\Desktop\target1\ip.txt | sort | get-unique | select-string -pattern "192.168" -notmatch | Out-File C:\Users\User\Desktop\target1\match.txt

gci C:\Users\User\Desktop\target1\match.txt | move -destination "\192.168.1.4\folder\outbound"

Remove-Item C:\Users\User\Desktop\target1\ip.txt

Remove-Item C:\Users\User\Desktop\target1\capture.cap

A run through:

I have dumpcap running doing a round robin of two one hour captures in a folder labeled “capturetest”, script looks in the folder for a file with the .cap extension, finds a .cap file with the last write time and moves it to a folder called, “target1”.

gci C:\Users\User\Desktop\capturetest*.cap | where {!$_.PSIsContainer} | sort LastWriteTime | select -f 1 | move -destination "C:\Users\User\Desktop\target1"

Then once moved to target1 the cap file get renamed to “capture.cap”

gci C:\Users\User\Desktop\target1 *.cap | rename-item -newname capture.cap

Then tshark does it thing to export out destination IP addresses to a text file called, “ip.txt”

tshark -r C:\Users\User\Desktop\target1\capture.cap -T fields -e ip.dst > C:\Users\User\Desktop\target1\ip.txt

Now that we have a list of destination IP’s we need to get rid of duplicates IP’s and filter out any 192.168.x.x traffic. This will be output to “match.txt”

gc C:\Users\User\Desktop\target1\ip.txt | sort | get-unique | select-string -pattern "192.168" -notmatch | Out-File C:\Users\User\Desktop\target1\match.txt

Now the match.txt file gets moved to a server share where another script compares match.txt to another text file which is a blacklist compiled from various different sources of malicious and compromised IP’s.

gci C:\Users\User\Desktop\target1\match.txt | move -destination "\192.168.1.4\folder\outbound"

Then Since I have this powershell script running as a scheduled task hourly we need to do some cleanup just to be tidy.

Remove-Item C:\Users\User\Desktop\target1\ip.txt

Remove-Item C:\Users\User\Desktop\target1\capture.cap

Edit: To run tshark as it is scripted, you will need to add tshark’s path to your environment variables. This script is running on Window 7 Pro with Powershell v2. Here’s a how to: http://www.computerhope.com/issues/ch000549.htm

answered 13 Dec ‘14, 21:21

zer0day's gravatar image

zer0day
217811
accept rate: 60%

edited 25 Aug ‘17, 18:23

2

Maybe this is possible: tshark -r input.cap -w output.txt -R "Some type of filter here"

It's possible, but it won't do what you want - all a filter does is control which packets to process; it doesn't affect the format of the output. Furthermore, -w writes out a capture file, not arbitrary text.

It's not the most convenient, but you could try doing

tshark -q -r input.cap -z ip_hosts,tree

That will print out, to the standard output, a list of all source and destination IP addresses in the file, along with some statistics about the traffic to and from each of the hosts. If you just want a list of addresses, you'll have to run it through another program to filter out all the headers, etc.

answered 23 Nov '14, 00:15

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 23 Nov '14, 00:16