Ask Your Question
0

On Windows, how can I get a list of source IP addresses in network traffic with duplicates removed?

asked 2018-05-13 18:21:09 +0000

logn gravatar image

updated 2018-09-19 21:08:41 +0000

grahamb gravatar image

i want to get unique ip in interface ethernet using tshark.i try using cmd in window:

C:\Users\long>wireshark\tshark -i ethernet -T fields -e ip.src sort | uniq

But its not work.Its notice: 'uniq' is not recognized as an internal or external command, operable program or batch file. Help me pls.Thank in advance

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
1

answered 2018-05-13 18:41:35 +0000

grahamb gravatar image

Those extra commands | sort | uniq will not work on Windows, they are Unix (or BSD) commands.

If you have a recent version of Windows (Vista or later) then you do have PowerShell which offers similar commands e.g.

path\to\tshark -i ethernet -T fields -e ip.src | Sort-Object | Get-Unique

To use PowerShell you have to open a PowerShell prompt.

edit flag offensive delete link more

Comments

Thank u very much

logn gravatar imagelogn ( 2018-05-14 03:21:37 +0000 )edit

Its work,thanks u.When i try this code using PowerShell to creat a pcap file then get unique ip address:

C:\Users\long> wireshark\tshark -i ethernet -a duration:60 -f "udp" -Y "frame.cap_len>=90 && frame.cap_len <=100" -w test3.pcap

Its doesn't work.I dont know why,Can u help me.Thank in advance

logn gravatar imagelogn ( 2018-05-14 08:24:39 +0000 )edit

It doesn't work as per the error message reported:

tshark: Display filters aren't supported when capturing and saving the captured packets

You can convert the display filter part (-Y ...) to a capture filter:

wireshark\tshark -i ethernet -a duration:60 -f "udp and len>=90 and len <=100" -w test3.pcap
grahamb gravatar imagegrahamb ( 2018-05-14 09:00:37 +0000 )edit

Note that if an answer has solved your issue, you should accept it for the benefit of others with the same query by clicking the checkmark next to it.

grahamb gravatar imagegrahamb ( 2018-05-14 09:17:34 +0000 )edit
0

answered 2018-05-13 18:35:01 +0000

Jasper gravatar image

It looks like you're using Windows, in which case there is no preinstalled "uniq" command. What you could do is use Powershell, which should be available, in which case your command could look like this:

C:\Users\long>wireshark\tshark -i ethernet -T fields -e ip.src | Group-Object | Where-Object count -eq 1 | Select-Object -Expand Group

Though I might add that this won't probably work during live capture (which is the same for using uniq and sort, because it needs a full scan over the complete set to determine duplicates), but it works while reading an exsting PCAPng file from disk via -r parameter.

edit flag offensive delete link more

Comments

Thank u very much

logn gravatar imagelogn ( 2018-05-14 03:21:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2018-05-13 18:21:09 +0000

Seen: 4,479 times

Last updated: Sep 19 '18