Hi there, I am looking to analyse a PCAP file generated using wireshark. Is there any possibility to use a filter that generates a list of protocols found in the capture? same thing with the list IPs and host/domain names in the capture file. Regards asked 18 Aug '16, 07:54  geniusgenie007 |
2 Answers:
Have a look at the Wireshark Statistics menu, in particular the Protocol Hierarchy and Endpoints options. answered 18 Aug '16, 08:10  grahamb ♦ |
You'll probably want to do that kind of think in tshark (as Graham said, this isn't something to do with filters). For your specific example of getting all the protocols in a file there's actually already a shell script for that (in the Wireshark source code, it's not installed when you install Wireshark): Fundamentally the script just runs Similar mechanisms can be used to find IP addresses, etc. answered 18 Aug '16, 10:27  JeffMorriss ♦ Thanks a lot Jeff and Graham, I will definitely give it a try. (18 Aug '16, 14:59) geniusgenie007 |
Actually, I am looking to use custom filters to do this task to make myself understand wireshark better.
This can't be done with filters, as they only give a match\no match for each frame to display it and don't take into account values in other frames. To show distinct values among frames, e.g. protocol hierarchy requires a "tap" which is what the items under the statistics menu use.