This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do you filter so that there is one listing per IP?

0

I wanted to find out how to filter my results so that I don't have one listing per packet and just have one listing per ip.

Thanks in advance

asked 14 Feb '16, 01:13

theH0MEBREWER's gravatar image

theH0MEBREWER
11113
accept rate: 0%

I'm afraid you'll have to be far more specific as for the desired result. E.g. "I want to get a list of all IP addresses seen in the capture, with the number of sent and received packets for each of them" or something alike. A "listing" may be nearly anything.

(14 Feb '16, 01:47) sindy

I am new to wireshark so i don't really know how to ask what I want to do... this might better explain it. In this video https://youtu.be/NWsnTLPGrts?t=3m at 4:30 the he says "you can limit it to one ip per listing" but he doesn't explain how to do that. I am trying to figure that out. I also wat to be able to do that as a filter so I can just scroll through the results and not have to export anything. Thanks again.

(14 Feb '16, 12:31) theH0MEBREWER

One Answer:

0

Go have a look in the Statistics menu to get several options of overviews of the captured data.

answered 14 Feb '16, 07:20

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

This helps but I wanted to know if there is a filter that does that in the Live Capture window.

(14 Feb '16, 12:34) theH0MEBREWER
1

If we admit that watching the list of IP addresses grow live has some advantage, then nothing prevents you from doing the following:

  • apply the display filter ip.src == your.ip.add.ress

  • go Statistics -> Conversations, a new window will open

  • tick the Limit to display filter checkbox in that window, and choose the IPv4 tab

  • go back to the main window and start the capture

  • go to the Conversations window again and watch the "one row per IP" table grow live.

In this table, you can sort the rows up to one column's values, by clicking the column header.

I don't know what the guy on the video had in mind, but to the best of my knowledge, there is no way to change the behaviour of the packet list pane so that it would display all packets which have the same value of a given protocol field (like ip.dst in your case) in a single row. As @Jaap has suggested, other tools have to be used for that purpose.

(15 Feb '16, 00:27) sindy

Thanks Sindy.

(26 Feb '16, 05:22) theH0MEBREWER