 | 1 | initial version |
Take a packet capture with Wireshark or tshark.
Open the file in Wireshark. Go to Statistics > Conversations > IPv4 (and/or IPv6, if you use it). Sort by the packets column to see the src/dst IP that are producing the most traffic.
This equivalent with the CLI and GNU coreutils will print the most frequent conversations:
tshark -r tmp.pcap -T fields -e ip.src -e ip.dst | sort | uniq -c | sort -r
| | 2 | No.2 Revision |
Take a packet capture with Wireshark or tshark.
Open the file in Wireshark. Go to Statistics > Conversations > IPv4 (and/or IPv6, if you use it). and look at the Ethernet, IPv4, and IPv6 sections. Sort by the packets Addresses/Packets column to see the src/dst IP MAC/IP that are producing the most traffic.
This equivalent with the CLI and GNU coreutils will print the most frequent conversations:
conversations (based on IPv4 address):
IP: tshark -r tmp.pcap -T fields -e ip.src -e ip.dst | sort | uniq -c | sort -r
Depending on how much you care about this, you may want to take a monitor-mode packet capture (tshark -I) on a device that supports it to see if there's an 802.11 problem. Whether you have access to raw wireless traffic is dependent on your device (most Windows devices don't permit access, but Macos/Linux do).
Edited per @guy-harris
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
