Multi-Point capture - Generate filter from conversations in PCAP
Hello Wireshark-Community, we have two capture points in the network. At Access-SW + WAN-Edge to figure out if there is packet loss inside LAN. At Access there was of course much less traffic, compared to WAN edge where everything aggregates. Now, on WAN-Edge-Capture I want to filter out all the conversations that did not source from access switch.
So, is there a way to generate a Display/BPF Filter that only contains IP conversations from Access-SW capture file to that I can apply this filter to WAN-Edge capture file? I hope you understand my goal to only see common conversations that show up in both files?
Thank you!
You can use Tshark to export the source and destination IPs from the access switch capture:
If you know your client network subnet, you can filter the output by the source subnet:
To reduce the output to unique addresses, you can pipe it to "sort /unique" (Windows only)
As soon as you've the list with the unique IP addresses, you can add it to Excel to create a capture filter (e.g. by using "="host "&A1&" AND host "&A2&" AND host "....)"
Thanks and good idea. The only drawback is that the subnet is not local to this switch only (it is spanned) and there are clients from many VLANs.I think I will filter out local communication towards WAN (!ip.dst==10.0.0.0/8) and create a IP list of those max. 48 clients. Thank you again.