OSQA is unmaintained. Help us figure out where to go from here.

Using tshark or Wireshark, is there a filter for unique MAC address, IP addresses? I would like to list all of the unique address in a PCAP. Or will this require some scripting to grep the output of tshark/tcpdump and then sort based on uniq output.

Thanks

asked 29 Jun '11, 17:12

Pyxis's gravatar image

Pyxis
6113
accept rate: 0%

Other than Statistics, Conversations? Wouldn't that do what you need?

(29 Jun '11, 18:38) hansangb

Both of your answers worked quite well...

(29 Jun '11, 21:28) Pyxis

Count unique IP addresses: tshark -r <input.pcap> -T fields -e ip.dst ip.src | sort | uniq

Count unique Ethernet addresses: tshark -r <input.pcap> -T fields -e eth.dst eth.src | sort | uniq

Note that e.g. ip.addr, which seems natural, actually lists out IP conversation endpoints.

(with many thanks, and a shout-out to Sake Blok)

permanent link

answered 29 Jun '11, 19:40

griff's gravatar image

griff
36139
accept rate: 10%

Sounds like you were at sharkfest!

(29 Jun '11, 19:41) zachad

Thanks for the feedback!

(29 Jun '11, 21:26) Pyxis

As hangsanb alluded to, you can use Wireshark's Statistics -> Endpoints, then choose the Ethernet tab for a list of unique MAC addresses, and choose the IPv4 (or IPv6) tab for the list of unique IP addresses. You probably want to disable name resolution to see the actual values instead of the resolved OUI's or domain names. The nice thing about Statistics -> Endpoints is that it comes equipped with a "Copy" button so you can easily copy all the relevant information about those endpoints to a text/csv file for further analysis/reporting.

permanent link

answered 29 Jun '11, 19:00

cmaynard's gravatar image

cmaynard ♦♦
9.3k938142
accept rate: 20%

Thanks for the Wireshark answer, did not realize I could only mark one correct response.

(29 Jun '11, 21:27) Pyxis

The answer from @griff doesn't seem to work as expected, at least in WireShark/TShark 2.0.2. Instead of displaying both the source and destination IP/MAC addresses, it only shows results for the first -e field.

My workaround is displaying both fields (-e ... -e ...), and then replacing tabs with newlines with (tr "\t" "\n"). This leaves the final command as follows:

Listing all unique IP addresses:

tshark -r input.pcap -T fields -e ip.src -e ip.dst | tr "\t" "\n" | sort | uniq

Listing all unique MAC addresses:

tshark -r input.pcap -T fields -e eth.src -e eth.dst | tr "\t" "\n" | sort | uniq
permanent link

answered 08 May, 19:49

AlexAltea's gravatar image

AlexAltea
213
accept rate: 0%

edited 08 May, 22:32

1

I like your answer better than the accepted one.

In fact, the accepted one must have a mistake, because you need a -e for every field to be displayed, but even then you would end up with 2 IP or Ethernet addresses per line, so unless you perform the tab-to-newline trick you did, you could end up with unique pairs of addresses instead of just unique addresses, which is really what you want.

(09 May, 06:58) cmaynard ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,619
×831
×39

question asked: 29 Jun '11, 17:12

question was seen: 32,431 times

last updated: 09 May, 06:58

p​o​w​e​r​e​d by O​S​Q​A