 | 1 | initial version |
You can do this with tshark, either with copy & paste or in one go to extract packets from the second file into a third.
In a shell (bash or other) you can do the following to create a comma separated list of the ip addresses in the first file:
tshark -r <first-file> -T fields -E occurrence=f -e ip.src | sort -u | paste -d, -s -
You can copy & paste this into this display filter not ip.addr in {<copied list>} in Wireshark.
You can also create a new file in one go with the following command:
tshark -r <second file> -w <third file> -Y "not ip.addr in {$(tshark -r <first-file> -T fields -E occurrence=f -e ip.src | sort -u | paste -d, -s -)}"
And then open up the third file in Wireshark :-)
If you're on Windows, use a (bash) shell in WSL or CYGWIN or you can look up the equivalent of these commands for CMD or Powershell.
