This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I sort my 822MB pcap file by IP source address? I need to be able to see the display in groups of same IP source addresses, but without cutting the other fields displayed. I need to see which IP addresses have sent more than 100 packets, and, then determine if within those 100+ packet clusters the packets are at most 5 mins apart. This is to infer DDoS attack form backscattered traffic. Thank you.

asked 19 Nov '16, 14:56

MaryR's gravatar image

MaryR
26558
accept rate: 0%


To sort the display by source IP address, click once on the Source address column header to sort from low to high; click twice to sort from high to low.

To see how many packets were sent by different addresses, go to Statistics > Endpoints and then click on the IPv4 tab. Click twice on the Packets column header to sort from high-to-low. All the hosts that sent 100 or more packets will be at the top of the list, in decreasing order.

permanent link

answered 19 Nov '16, 15:15

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

I hope he can load the file. Maybe ntopng is a better approach?

(19 Nov '16, 16:23) Jaap ♦

It is sorting now, and I am sure it will work, but how can I do this from command line, with tshark and other linux commands for two reasons: 1) because of the file size, wireshark is taking a,long time to do it, if it does it in the end, a 2) because I need to automate the process of inferring the DDoS attack from the original dataset. My original file was 8GB, I used some tcpdump filter and reduced to 822 MB, now I need to filter by number of packets and time. In the end I need to write bash script to automate the whole process. What commands could I use for sorting as Wireshark does? Is command line better approach? Help greatly appreciated.

(19 Nov '16, 16:35) MaryR
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×178
×48
×40
×7
×1

question asked: 19 Nov '16, 14:56

question was seen: 1,312 times

last updated: 19 Nov '16, 16:35

p​o​w​e​r​e​d by O​S​Q​A