Using tshark or Wireshark, is there a filter for unique MAC address, IP addresses? I would like to list all of the unique address in a PCAP. Or will this require some scripting to grep the output of tshark/tcpdump and then sort based on uniq output.

Thanks

asked 29 Jun '11, 17:12

Pyxis's gravatar image

Pyxis
6113
accept rate: 0%

Other than Statistics, Conversations? Wouldn't that do what you need?

(29 Jun '11, 18:38) hansangb

Both of your answers worked quite well...

(29 Jun '11, 21:28) Pyxis

Count unique IP addresses: tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq

Count unique Ethernet addresses: tshark -r <input.pcap> -T fields -e eth.dst eth.src | sort | uniq

Note that e.g. ip.addr, which seems natural, actually lists out IP conversation endpoints.

(with many thanks, and a shout-out to Sake Blok)

link

answered 29 Jun '11, 19:40

griff's gravatar image

griff
33139
accept rate: 14%

Sounds like you were at sharkfest!

(29 Jun '11, 19:41) zachad

Thanks for the feedback!

(29 Jun '11, 21:26) Pyxis

As hangsanb alluded to, you can use Wireshark's Statistics -> Endpoints, then choose the Ethernet tab for a list of unique MAC addresses, and choose the IPv4 (or IPv6) tab for the list of unique IP addresses. You probably want to disable name resolution to see the actual values instead of the resolved OUI's or domain names. The nice thing about Statistics -> Endpoints is that it comes equipped with a "Copy" button so you can easily copy all the relevant information about those endpoints to a text/csv file for further analysis/reporting.

link

answered 29 Jun '11, 19:00

cmaynard's gravatar image

cmaynard ♦
5.8k725100
accept rate: 17%

Thanks for the Wireshark answer, did not realize I could only mark one correct response.

(29 Jun '11, 21:27) Pyxis
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×707
×362
×20

Asked: 29 Jun '11, 17:12

Seen: 7,837 times

Last updated: 29 Jun '11, 21:28

powered by OSQA