Using tshark or Wireshark, is there a filter for unique MAC address, IP addresses? I would like to list all of the unique address in a PCAP. Or will this require some scripting to grep the output of tshark/tcpdump and then sort based on uniq output.
asked 29 Jun '11, 17:12
Count unique IP addresses: tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq
Count unique Ethernet addresses: tshark -r <input.pcap> -T fields -e eth.dst eth.src | sort | uniq
Note that e.g. ip.addr, which seems natural, actually lists out IP conversation endpoints.
(with many thanks, and a shout-out to Sake Blok)
answered 29 Jun '11, 19:40
As hangsanb alluded to, you can use Wireshark's
answered 29 Jun '11, 19:00
The answer from @griff doesn't seem to work as expected, at least in WireShark/TShark 2.0.2. Instead of displaying both the source and destination IP/MAC addresses, it only shows results for the first -e field.
My workaround is displaying both fields (-e ... -e ...), and then replacing tabs with newlines with (tr "\t" "\n"). This leaves the final command as follows:
Listing all unique IP addresses:
Listing all unique MAC addresses:
answered 08 May '17, 19:49
edited 08 May '17, 22:32