I am trying to figure out how may unique source IP addresses there are in a pcap file viewing through Wireshark. Then how many unique destination IP addresses there are. I tried endpoints but I believe that is total unique addresses but I need a separate count of source and destination.
Statistics -> IPv4 Statistics -> Source and Destination Addresses
Statistics -> IPv6 Statistics -> Source and Destination Addresses
The menu items above look like a gui front end to the tshark options:
-z ip_srcdst,tree[,filter]
Calculate statistics on IPv4 addresses, with source and destination addresses separated into separate categories.-z ip6_srcdst,tree[,filter]
Calculate statistics on IPv6 addresses, with source and destination addresses separated into separate categories.
(The output is suspect. A test capture with IPv4 and IPv6 packets, IPv6 addresses appear in the IPv4 statistics.)
This can be done with tshark pulling the ip.src and ip.dst fields and crunching the output.
Be aware that some packets (e.g. ICMP and ICMPv6) include an extra IP header so there are multiple ip.src and ip.dst in the packets.
$ tshark -r ./*10130* -T fields -e ip.src | sort | uniq | sort -n | wc
176 175 2840
$ tshark -r ./*10130* -T fields -e ipv6.src | sort | uniq | sort -n | wc
178 177 5412
Lower counts when only counting the first occurrence of the field in each frame.
$ tshark -r ./*10130* -T fields -E occurrence=f -e ip.src | sort | uniq | sort -n | wc
169 168 2474
$ tshark -r ./*10130* -T fields -E occurrence=f -e ipv6.src | sort | uniq | sort -n | wc
176 175 4502
Asked: 2022-05-07 00:37:10 +0000
Seen: 2,603 times
Last updated: May 07 '22
