This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter repeat destination IPs showing

0

Hi,

i dont think this is possible but i thought id check.

i want to audit which ips are being accessed by one source host over a certain link. this bit easy as i can see all ips in the dump...

how ever i want to only see one hit to the destination ips in the output...not all traffic so that i can make a list of servers remote side for my audit....i plan on running this for a few days hence not wanting all traffic to each host...just need to knw which servers are accessed from the source host. be bice if i cld see a list of all ips in a row just listed once

thanks!

This question is marked "community wiki".

asked 15 Feb '12, 09:05

jesh1980's gravatar image

jesh1980
1112
accept rate: 0%

edited 15 Feb '12, 09:07


2 Answers:

0

wouldn't the Statistics -> Endpoint report help?

answered 15 Feb '12, 09:15

thetechfirm's gravatar image

thetechfirm
64116
accept rate: 0%

that actually looks like what i want...can i extract all this?

(15 Feb '12, 09:29) jesh1980

you can use the Copy Button at the bottom and paste the data into Excel and muck around all you want.

(15 Feb '12, 09:31) thetechfirm

yea i tried that, looks like i can only one line at a time...

(15 Feb '12, 09:35) jesh1980

huh?, Go to Statistics - >Endpoints and click on the IP tab. Then if you press on the Copy button and paste the results into notepad you should see the CSV formatted data.

Are you saying that when you paste the data, you only see one line?

(15 Feb '12, 09:47) thetechfirm

ok i got it, im all good!

thanks for you help :)

appreciated buddy!

(15 Feb '12, 09:49) jesh1980

0

You can also use Tshark with a bit of scripting as shown in the answer to this question (which is remarkably similar to yours).

For Windows PowerShell users the equivalent recipes are:

Count unique IP addresses: tshark -r <input.pcap> -T fields -e ip.dst ip.src | Sort-Object | Get-Unique

Count unique Ethernet addresses: tshark -r <input.pcap> -T fields -e eth.dst eth.src | Sort-Object | Get-Unique

answered 15 Feb ‘12, 09:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 15 Feb ‘12, 10:00

thanks..i have knw idea how to do that so may go with the first option

(16 Feb ‘12, 03:45) jesh1980

Tshark is the command line version of wireshark, and outputs text strings corresponding to the input capture, live or from a file.

The advantage of using Tshark is that the output can then be processed by other applications. My example for Windows users and uses PowerShell, the replacement for the old CMD shell and the linked example is for *nix users.

(16 Feb ‘12, 04:11) grahamb ♦