Ask Your Question
0

Create filter based on IP-addresses from captured file

asked 2023-11-25 14:09:44 +0000

ares gravatar image

Hi,

I'm new to Wireshark. What I want to do is to do 2 captures. I want to make a filter out of the IP-addresses that are present in the first capture. I want to filter out those IP-addresses in the second capture. How do I do this without having to write ip.addr != address from first capture for all of the IP-addresses?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-11-25 15:02:06 +0000

SYN-bit gravatar image

You can do this with tshark, either with copy & paste or in one go to extract packets from the second file into a third.

In a shell (bash or other) you can do the following to create a comma separated list of the ip addresses in the first file:

tshark -r <first-file> -T fields -E occurrence=f -e ip.src | sort -u | paste -d, -s -

You can copy & paste this into this display filter not ip.addr in {<copied list>} in Wireshark.

You can also create a new file in one go with the following command:

tshark -r <second file> -w <third file> -Y "not ip.addr in {$(tshark -r <first-file> -T fields -E occurrence=f -e ip.src | sort -u | paste -d, -s -)}"

And then open up the third file in Wireshark :-)

If you're on Windows, use a (bash) shell in WSL or CYGWIN or you can look up the equivalent of these commands for CMD or Powershell.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-11-25 14:09:44 +0000

Seen: 263 times

Last updated: Nov 25 '23