This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Determining unique MAC and IP addresses in a PCAP

0

Using tshark or Wireshark, is there a filter for unique MAC address, IP addresses? I would like to list all of the unique address in a PCAP. Or will this require some scripting to grep the output of tshark/tcpdump and then sort based on uniq output.

Thanks

asked 29 Jun '11, 17:12

Pyxis's gravatar image

Pyxis
6113
accept rate: 0%

Other than Statistics, Conversations? Wouldn't that do what you need?

(29 Jun '11, 18:38) hansangb

Both of your answers worked quite well...

(29 Jun '11, 21:28) Pyxis

3 Answers:

5

Count unique IP addresses: tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq

Count unique Ethernet addresses: tshark -r <input.pcap> -T fields -e eth.dst eth.src | sort | uniq

Note that e.g. ip.addr, which seems natural, actually lists out IP conversation endpoints.

(with many thanks, and a shout-out to Sake Blok)

answered 29 Jun '11, 19:40

griff's gravatar image

griff
36139
accept rate: 10%

Sounds like you were at sharkfest!

(29 Jun '11, 19:41) zachad

Thanks for the feedback!

(29 Jun '11, 21:26) Pyxis

4

As hangsanb alluded to, you can use Wireshark's Statistics -> Endpoints, then choose the Ethernet tab for a list of unique MAC addresses, and choose the IPv4 (or IPv6) tab for the list of unique IP addresses. You probably want to disable name resolution to see the actual values instead of the resolved OUI's or domain names. The nice thing about Statistics -> Endpoints is that it comes equipped with a "Copy" button so you can easily copy all the relevant information about those endpoints to a text/csv file for further analysis/reporting.

answered 29 Jun '11, 19:00

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks for the Wireshark answer, did not realize I could only mark one correct response.

(29 Jun '11, 21:27) Pyxis

1

The answer from @griff doesn't seem to work as expected, at least in WireShark/TShark 2.0.2. Instead of displaying both the source and destination IP/MAC addresses, it only shows results for the first -e field.

My workaround is displaying both fields (-e ... -e ...), and then replacing tabs with newlines with (tr "\t" "\n"). This leaves the final command as follows:

Listing all unique IP addresses:

tshark -r input.pcap -T fields -e ip.src -e ip.dst | tr "\t" "\n" | sort | uniq

Listing all unique MAC addresses:

tshark -r input.pcap -T fields -e eth.src -e eth.dst | tr "\t" "\n" | sort | uniq

answered 08 May '17, 19:49

AlexAltea's gravatar image

AlexAltea
213
accept rate: 0%

edited 08 May '17, 22:32

1

I like your answer better than the accepted one.

In fact, the accepted one must have a mistake, because you need a -e for every field to be displayed, but even then you would end up with 2 IP or Ethernet addresses per line, so unless you perform the tab-to-newline trick you did, you could end up with unique pairs of addresses instead of just unique addresses, which is really what you want.

(09 May '17, 06:58) cmaynard ♦♦