One Entry per Source-IP/Dest-Port

asked 2021-01-06 14:28:31 +0000

Acrylic gravatar image

updated 2021-01-06 14:29:27 +0000

I have a couple huge Wireshark captures that I need to analyze and report on. Basically I am trying to prove 'what' and 'how' is talking to a pair of servers due to be decommissioned.

After I apply my filter (basically for the RFC1918 ranges used by the company) I still end up with over a million packets for each server.

I just need to report on which IPs are talking to these servers, and on which port in an excel format. Something like:

Source: Port: 430 Server responded (y/n): yes

Obviously this is a pcap, so its not just a single traffic, and in the case of SMB its scattered all over the place and may be thousands of packets for what will eventually be a single row in my excel sheet.

Is there any way I can filter each source-IP/dest-port combination into a single entry, without having to manually go over these gigantic captures?

answered 2021-01-06 16:07:58 +0000

Chuckc gravatar image

Have you looked at using tshark to extract the data?
SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)

(sample capture used here from the Wireshark Wiki)

$ tshark -r ./smbtorture.cap.gz -Y "ip.dst==" -T fields -e ip.src -e tcp.dstport -e udp.dstport -e _ws.col.Protocol | sort | uniq           389     CLDAP           49157   DNS           49178   DNS   139             NBSS   139             TCP   445             DCERPC   445             LANMAN   445             LSARPC   445             SMB   445             TCP,           389     ICMP         68      DHCP

Query below shows response packets from the server.
If on Windows sort has a /unique option:

C:\>tshark -r smbtorture.cap.gz -Y "ip.src==" -T fields -e ip.dst -e tcp.srcport -e udp.srcport  | sort /unique           49157           49178   139   445,           32811         68         137         138
answered 2021-01-06 15:04:16 +0000

grahamb gravatar image

In the Statistics menu there is an item "Endpoints" that displays a dialog which (for various protocols as shown on the tabs) lists the addresses and ports as applicable for all hosts in the capture.

Similarly there is a "Conversations" dialog that shows the conversations between the hosts in the capture.

Both these dialogs have a checkbox to limit the details to the current display filter.

