Ask Your Question
0

Multi-Point capture - Generate filter from conversations in PCAP

asked 2021-01-18 09:21:06 +0000

wshark_de gravatar image

updated 2021-01-18 09:29:17 +0000

Hello Wireshark-Community, we have two capture points in the network. At Access-SW + WAN-Edge to figure out if there is packet loss inside LAN. At Access there was of course much less traffic, compared to WAN edge where everything aggregates. Now, on WAN-Edge-Capture I want to filter out all the conversations that did not source from access switch.

So, is there a way to generate a Display/BPF Filter that only contains IP conversations from Access-SW capture file to that I can apply this filter to WAN-Edge capture file? I hope you understand my goal to only see common conversations that show up in both files?

Thank you!

edit retag flag offensive close merge delete

Comments

You can use Tshark to export the source and destination IPs from the access switch capture:

  • tshark -r file.pcap -T fields -e ip.src -e ip.dst

If you know your client network subnet, you can filter the output by the source subnet:

  • tshark -r file.pcap -T fields -e ip.src -Y "ip.src == 192.168.0.0/24"

To reduce the output to unique addresses, you can pipe it to "sort /unique" (Windows only)

  • tshark -r file.pcap -T fields -e ip.src -Y "ip.src == 192.168.0.0/24" | sort /unique

As soon as you've the list with the unique IP addresses, you can add it to Excel to create a capture filter (e.g. by using "="host "&A1&" AND host "&A2&" AND host "....)"

JasMan gravatar imageJasMan ( 2021-01-18 14:20:59 +0000 )edit

Thanks and good idea. The only drawback is that the subnet is not local to this switch only (it is spanned) and there are clients from many VLANs.I think I will filter out local communication towards WAN (!ip.dst==10.0.0.0/8) and create a IP list of those max. 48 clients. Thank you again.

wshark_de gravatar imagewshark_de ( 2021-01-19 09:15:26 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-01-24 11:48:00 +0000

JasMan gravatar image

You can use Tshark to export the source and destination IPs from the access switch capture:

tshark -r file.pcap -T fields -e ip.src -e ip.dst

If you know your client network subnet, you can filter the output by the source subnet:

tshark -r file.pcap -T fields -e ip.src -Y "ip.src == 192.168.0.0/24"

To reduce the output to unique addresses, you can pipe it to "sort /unique" (Windows only)

tshark -r file.pcap -T fields -e ip.src -Y "ip.src == 192.168.0.0/24" | sort /unique

As soon as you've the list with the unique IP addresses, you can add it to Excel to create a capture filter (e.g. by using "="host "&A1&" AND host "&A2&" AND host "....)"

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-01-18 09:21:06 +0000

Seen: 578 times

Last updated: Jan 24 '21