 | 1 | initial version |
Have you looked at using tshark to extract the data?
SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)
(sample capture used here from the Wireshark Wiki)
$ tshark -r ./smbtorture.cap.gz -Y "ip.dst==192.168.114.129" -T fields -e ip.src -e tcp.dstport -e udp.dstport -e _ws.col.Protocol | sort | uniq
192.168.114.1 389 CLDAP
192.168.114.1 49157 DNS
192.168.114.1 49178 DNS
192.168.114.1 139 NBSS
192.168.114.1 139 TCP
192.168.114.1 445 DCERPC
192.168.114.1 445 LANMAN
192.168.114.1 445 LSARPC
192.168.114.1 445 SMB
192.168.114.1 445 TCP
192.168.114.129,192.168.114.1 389 ICMP
192.168.114.254 68 DHCP
$
Query below shows response packets from the server.
If on Windows sort has a /unique option:
C:\>tshark -r smbtorture.cap.gz -Y "ip.src==192.168.114.129" -T fields -e ip.dst -e tcp.srcport -e udp.srcport | sort /unique
192.168.114.1 49157
192.168.114.1 49178
192.168.114.1 139
192.168.114.1 445
192.168.114.1,192.168.114.129 32811
192.168.114.254 68
192.168.114.255 137
192.168.114.255 138
224.0.0.22