This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Eliminate duplicate source addresses

0

How can I eliminate duplicate source addresses so that I only see how many computers are communicating on a certain port? The display is filtered to only show port 137 and the addresses are sorted, but there are hundreds of packets for each source address because the capture ran for quite a while. I want to eliminate the duplicates to only show which computers are using 137.

asked 13 Jan '11, 14:22

JTC's gravatar image

JTC
6113
accept rate: 0%

2 Answers:

2

Would something like the following work?

  • Apply the display filter udp.port eq 137 (or udp.dstport eq 137)
  • Go to Statistics→Endpoints
  • Select the UDP tab
  • Select Limit to display filter

answered 13 Jan '11, 15:07

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

  • and if there are many many many rows, take a look at the number in the tab header instead of counting the lines by hand.

(yes, I had students in my class actually starting to count lines by hand once) :-)

(13 Jan '11, 16:56) Jasper ♦♦

1

Or you can use tshark :-)

tshark -r <file> -R "udp.dstport==137" -T fields -e ip.src | sort -n | uniq

This will give you a list of all IP addresses that have sent packets to udp port 137 or ...

tshark -r <file> -R "udp.dstport==137" -T fields -e ip.src | \
    sort | uniq -c | sort -rn | head

...will give you a top 10 of all IP addresses that have sent packets to udp port 137.

(If you are on Windows, you can make this work by installing cygwin)

answered 16 Jan '11, 00:52

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%