Using tshark or Wireshark, is there a filter for unique MAC address, IP addresses? I would like to list all of the unique address in a PCAP. Or will this require some scripting to grep the output of tshark/tcpdump and then sort based on uniq output.


asked 29 Jun '11, 17:12

Pyxis's gravatar image

accept rate: 0%

Other than Statistics, Conversations? Wouldn't that do what you need?

(29 Jun '11, 18:38) hansangb

Both of your answers worked quite well...

(29 Jun '11, 21:28) Pyxis

Count unique IP addresses: tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq

Count unique Ethernet addresses: tshark -r <input.pcap> -T fields -e eth.dst eth.src | sort | uniq

Note that e.g. ip.addr, which seems natural, actually lists out IP conversation endpoints.

(with many thanks, and a shout-out to Sake Blok)


answered 29 Jun '11, 19:40

griff's gravatar image

accept rate: 14%

Sounds like you were at sharkfest!

(29 Jun '11, 19:41) zachad

Thanks for the feedback!

(29 Jun '11, 21:26) Pyxis

As hangsanb alluded to, you can use Wireshark's Statistics -> Endpoints, then choose the Ethernet tab for a list of unique MAC addresses, and choose the IPv4 (or IPv6) tab for the list of unique IP addresses. You probably want to disable name resolution to see the actual values instead of the resolved OUI's or domain names. The nice thing about Statistics -> Endpoints is that it comes equipped with a "Copy" button so you can easily copy all the relevant information about those endpoints to a text/csv file for further analysis/reporting.


answered 29 Jun '11, 19:00

cmaynard's gravatar image

cmaynard ♦
accept rate: 17%

Thanks for the Wireshark answer, did not realize I could only mark one correct response.

(29 Jun '11, 21:27) Pyxis
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 29 Jun '11, 17:12

Seen: 7,837 times

Last updated: 29 Jun '11, 21:28

powered by OSQA