How can I sort my 822MB pcap file by IP source address? I need to be able to see the display in groups of same IP source addresses, but without cutting the other fields displayed. I need to see which IP addresses have sent more than 100 packets, and, then determine if within those 100+ packet clusters the packets are at most 5 mins apart. This is to infer DDoS attack form backscattered traffic. Thank you. asked 19 Nov '16, 14:56  MaryR |
One Answer:
To sort the display by source IP address, click once on the Source address column header to sort from low to high; click twice to sort from high to low. To see how many packets were sent by different addresses, go to Statistics > Endpoints and then click on the IPv4 tab. Click twice on the Packets column header to sort from high-to-low. All the hosts that sent 100 or more packets will be at the top of the list, in decreasing order. answered 19 Nov '16, 15:15  Jim Aragon |
I hope he can load the file. Maybe ntopng is a better approach?
It is sorting now, and I am sure it will work, but how can I do this from command line, with tshark and other linux commands for two reasons: 1) because of the file size, wireshark is taking a,long time to do it, if it does it in the end, a 2) because I need to automate the process of inferring the DDoS attack from the original dataset. My original file was 8GB, I used some tcpdump filter and reduced to 822 MB, now I need to filter by number of packets and time. In the end I need to write bash script to automate the whole process. What commands could I use for sorting as Wireshark does? Is command line better approach? Help greatly appreciated.