How can I sort my 822MB pcap file by IP source address? I need to be able to see the display in groups of same IP source addresses, but without cutting the other fields displayed. I need to see which IP addresses have sent more than 100 packets, and, then determine if within those 100+ packet clusters the packets are at most 5 mins apart. This is to infer DDoS attack form backscattered traffic. Thank you.

To sort the display by source IP address, click once on the Source address column header to sort from low to high; click twice to sort from high to low.

To see how many packets were sent by different addresses, go to Statistics > Endpoints and then click on the IPv4 tab. Click twice on the Packets column header to sort from high-to-low. All the hosts that sent 100 or more packets will be at the top of the list, in decreasing order.

Jim Aragon
I hope he can load the file. Maybe ntopng is a better approach?

(19 Nov '16, 16:23) Jaap

It is sorting now, and I am sure it will work, but how can I do this from command line, with tshark and other linux commands for two reasons: 1) because of the file size, wireshark is taking a,long time to do it, if it does it in the end, a 2) because I need to automate the process of inferring the DDoS attack from the original dataset. My original file was 8GB, I used some tcpdump filter and reduced to 822 MB, now I need to filter by number of packets and time. In the end I need to write bash script to automate the whole process. What commands could I use for sorting as Wireshark does? Is command line better approach? Help greatly appreciated.

(19 Nov '16, 16:35) MaryR
question asked: 19 Nov '16, 14:56

last updated: 19 Nov '16, 16:35

