Ask Your Question
0

One Entry per Source-IP/Dest-Port

asked 2021-01-06 14:28:31 +0000

Acrylic gravatar image

updated 2021-01-06 14:29:27 +0000

I have a couple huge Wireshark captures that I need to analyze and report on. Basically I am trying to prove 'what' and 'how' is talking to a pair of servers due to be decommissioned.

After I apply my filter (basically for the RFC1918 ranges used by the company) I still end up with over a million packets for each server.

I just need to report on which IPs are talking to these servers, and on which port in an excel format. Something like:

Source: 10.1.1.1 Port: 430 Server responded (y/n): yes

Obviously this is a pcap, so its not just a single traffic, and in the case of SMB its scattered all over the place and may be thousands of packets for what will eventually be a single row in my excel sheet.

Is there any way I can filter each source-IP/dest-port combination into a single entry, without having to manually go over these gigantic captures?

Many thanks,

Josh

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-01-06 16:07:58 +0000

Chuckc gravatar image

Have you looked at using tshark to extract the data?
SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)

(sample capture used here from the Wireshark Wiki)

$ tshark -r ./smbtorture.cap.gz -Y "ip.dst==192.168.114.129" -T fields -e ip.src -e tcp.dstport -e udp.dstport -e _ws.col.Protocol | sort | uniq
192.168.114.1           389     CLDAP
192.168.114.1           49157   DNS
192.168.114.1           49178   DNS
192.168.114.1   139             NBSS
192.168.114.1   139             TCP
192.168.114.1   445             DCERPC
192.168.114.1   445             LANMAN
192.168.114.1   445             LSARPC
192.168.114.1   445             SMB
192.168.114.1   445             TCP
192.168.114.129,192.168.114.1           389     ICMP
192.168.114.254         68      DHCP
$

Query below shows response packets from the server.
If on Windows sort has a /unique option:

C:\>tshark -r smbtorture.cap.gz -Y "ip.src==192.168.114.129" -T fields -e ip.dst -e tcp.srcport -e udp.srcport  | sort /unique
192.168.114.1           49157
192.168.114.1           49178
192.168.114.1   139
192.168.114.1   445
192.168.114.1,192.168.114.129           32811
192.168.114.254         68
192.168.114.255         137
192.168.114.255         138
224.0.0.22
edit flag offensive delete link more
add a comment
0

answered 2021-01-06 15:04:16 +0000

grahamb gravatar image

In the Statistics menu there is an item "Endpoints" that displays a dialog which (for various protocols as shown on the tabs) lists the addresses and ports as applicable for all hosts in the capture.

Similarly there is a "Conversations" dialog that shows the conversations between the hosts in the capture.

Both these dialogs have a checkbox to limit the details to the current display filter.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2021-01-06 14:28:31 +0000

Seen: 401 times

Last updated: Jan 06 '21