This is our old Q&A Site. Please post any new questions and answers at


i dont think this is possible but i thought id check.

i want to audit which ips are being accessed by one source host over a certain link. this bit easy as i can see all ips in the dump...

how ever i want to only see one hit to the destination ips in the output...not all traffic so that i can make a list of servers remote side for my audit....i plan on running this for a few days hence not wanting all traffic to each host...just need to knw which servers are accessed from the source host. be bice if i cld see a list of all ips in a row just listed once


This question is marked "community wiki".

asked 15 Feb '12, 09:05

jesh1980's gravatar image

accept rate: 0%

edited 15 Feb '12, 09:07

wouldn't the Statistics -> Endpoint report help?

permanent link

answered 15 Feb '12, 09:15

thetechfirm's gravatar image

accept rate: 0%

that actually looks like what i want...can i extract all this?

(15 Feb '12, 09:29) jesh1980

you can use the Copy Button at the bottom and paste the data into Excel and muck around all you want.

(15 Feb '12, 09:31) thetechfirm

yea i tried that, looks like i can only one line at a time...

(15 Feb '12, 09:35) jesh1980

huh?, Go to Statistics - >Endpoints and click on the IP tab. Then if you press on the Copy button and paste the results into notepad you should see the CSV formatted data.

Are you saying that when you paste the data, you only see one line?

(15 Feb '12, 09:47) thetechfirm

ok i got it, im all good!

thanks for you help :)

appreciated buddy!

(15 Feb '12, 09:49) jesh1980

You can also use Tshark with a bit of scripting as shown in the answer to this question (which is remarkably similar to yours).

For Windows PowerShell users the equivalent recipes are:

Count unique IP addresses: tshark -r <input.pcap> -T fields -e ip.dst ip.src | Sort-Object | Get-Unique

Count unique Ethernet addresses: tshark -r <input.pcap> -T fields -e eth.dst eth.src | Sort-Object | Get-Unique
permanent link

answered 15 Feb '12, 09:53

grahamb's gravatar image

grahamb ♦
accept rate: 22%

edited 15 Feb '12, 10:00

thanks..i have knw idea how to do that so may go with the first option

(16 Feb '12, 03:45) jesh1980

Tshark is the command line version of wireshark, and outputs text strings corresponding to the input capture, live or from a file.

The advantage of using Tshark is that the output can then be processed by other applications. My example for Windows users and uses PowerShell, the replacement for the old CMD shell and the linked example is for *nix users.

(16 Feb '12, 04:11) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 15 Feb '12, 09:05

question was seen: 7,567 times

last updated: 16 Feb '12, 04:11

p​o​w​e​r​e​d by O​S​Q​A