This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

List of protocol in the PCAP file

0

Hi there, I am looking to analyse a PCAP file generated using wireshark. Is there any possibility to use a filter that generates a list of protocols found in the capture? same thing with the list IPs and host/domain names in the capture file.

Regards

asked 18 Aug '16, 07:54

geniusgenie007's gravatar image

geniusgenie007
6224
accept rate: 0%


2 Answers:

1

Have a look at the Wireshark Statistics menu, in particular the Protocol Hierarchy and Endpoints options.

answered 18 Aug '16, 08:10

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Actually, I am looking to use custom filters to do this task to make myself understand wireshark better.

(18 Aug '16, 08:12) geniusgenie007

This can't be done with filters, as they only give a match\no match for each frame to display it and don't take into account values in other frames. To show distinct values among frames, e.g. protocol hierarchy requires a "tap" which is what the items under the statistics menu use.

(18 Aug '16, 08:26) grahamb ♦

1

You'll probably want to do that kind of think in tshark (as Graham said, this isn't something to do with filters).

For your specific example of getting all the protocols in a file there's actually already a shell script for that (in the Wireshark source code, it's not installed when you install Wireshark): tools/list_protos_in_cap.sh.

Fundamentally the script just runs tshark -T fields -e frame.protocols -nr /path/to/file then does a little more magic to remove duplicate protocols.

Similar mechanisms can be used to find IP addresses, etc.

answered 18 Aug '16, 10:27

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thanks a lot Jeff and Graham, I will definitely give it a try.

(18 Aug '16, 14:59) geniusgenie007