This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

get most common sender of packets in a trace file

0

I am trying to find out the host that has sent the most TCP packets in a trace file, regardless of destination. Is there a way to do that with Wireshark?

asked 27 Nov '12, 20:56

user9909's gravatar image

user9909
6113
accept rate: 0%


One Answer:

2

Yes, there is:

  1. Set the display filter to "tcp" and click "apply"
  2. Go to "Statistics -> Endpoints"
  3. Select "Limit to display filter"
  4. Click on the "IPv4" tab
  5. Click on "Tx Bytes" twice to sort reversely on transmitted bytes

Then you may use "Copy" to export the results in CSV to the clipboard...

answered 27 Nov '12, 23:43

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you so much! That's exactly what I needed

(28 Nov '12, 06:04) user9909

Is there a way to use the Endpoints IPv4 tab to display only the src ips instead of src + dest ips in the statistics?

(28 Nov '12, 11:19) user9909

That's not possible. Then you need to cook something up with tshark and some scripting. If you are just interested in the count of packets, you can use:

tshark -r <file> -R tcp -T fields -e ip.src | sort | uniq -c

If you want the top 10, you can add:

... | sort -rn | head

(if you're on windows, you can use powershell for similar commands or install cygwin to get a bash shell)

(28 Nov '12, 11:44) SYN-bit ♦♦

The PowerShell equivalents would be:

tshark -r <file> -R tcp -T fields -e "ip.src" | Sort-Object -Unique | Measure-Object

and:

... | Group-Object | Sort-Object -Descending | Select-Object -First 10

(28 Nov '12, 12:39) grahamb ♦

Fantastic, thanks guys

(28 Nov '12, 17:31) user9909