I have a pcap file and I want to wireshark shows me packets with distinct source address. How can I do this in wireshark?
Asked
Active
Viewed 1.9k times
3 Answers
3
Use the IPv4 tab in the Endpoints (or Conversations) item under the Statistics menu to see a list of unique hosts (or conversations). You can further filter your capture from here too by right-clicking on a specific entry.
Jens Ehrich
- 923
2
From your comment to EMK's answer, it seems what you're looking for is a unique list of source IP addresses in a capture file. Assuming so, you can achieve this with tshark as follows:
On *nix platforms:
tshark -r capture.pcap -T fields -e ip.src | sort -u
On Windows, you will probably need a batch file to accomplish equivalent of sort -u. You can probably use the one provided here, and provided below:
tshark.exe -r capture.pcap -T fields -e ip.src > uniqinput.txt
sortuniq.bat uniqinput.txt
Batch file:
@echo off
setlocal disabledelayedexpansion
set "prev="
for /f "delims=" %%F in ('sort uniqinput.txt') do (
set "curr=%%F"
setlocal enabledelayedexpansion
if "!prev!" neq "!curr!" echo !curr!
endlocal
set "prev=%%F"
)
0
I assume you are looking for the IPV4 source, e.g.
ip.src == 192.168.0.200
Tip: In the Packet View, you can right click a value and choose "Apply as filter".
HelpingHand
- 2,598
- 12
- 16