Using tshark or Wireshark, is there a filter for unique MAC address, IP addresses? I would like to list all of the unique address in a PCAP. Or will this require some scripting to grep the output of tshark/tcpdump and then sort based on uniq output.
asked 29 Jun '11, 17:12
Count unique IP addresses: tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq
Count unique Ethernet addresses: tshark -r <input.pcap> -T fields -e eth.dst eth.src | sort | uniq
Note that e.g. ip.addr, which seems natural, actually lists out IP conversation endpoints.
(with many thanks, and a shout-out to Sake Blok)
answered 29 Jun '11, 19:40
As hangsanb alluded to, you can use Wireshark's
answered 29 Jun '11, 19:00