Hi there, I am looking to analyse a PCAP file generated using wireshark. Is there any possibility to use a filter that generates a list of protocols found in the capture? same thing with the list IPs and host/domain names in the capture file.


asked 18 Aug '16, 07:54

Have a look at the Wireshark Statistics menu, in particular the Protocol Hierarchy and Endpoints options.

answered 18 Aug '16, 08:10

Actually, I am looking to use custom filters to do this task to make myself understand wireshark better.

(18 Aug '16, 08:12) geniusgenie007

This can't be done with filters, as they only give a match\no match for each frame to display it and don't take into account values in other frames. To show distinct values among frames, e.g. protocol hierarchy requires a "tap" which is what the items under the statistics menu use.

(18 Aug '16, 08:26) grahamb

You'll probably want to do that kind of think in tshark (as Graham said, this isn't something to do with filters).

For your specific example of getting all the protocols in a file there's actually already a shell script for that (in the Wireshark source code, it's not installed when you install Wireshark): tools/list_protos_in_cap.sh.

Fundamentally the script just runs tshark -T fields -e frame.protocols -nr /path/to/file then does a little more magic to remove duplicate protocols.

Similar mechanisms can be used to find IP addresses, etc.

answered 18 Aug '16, 10:27

Thanks a lot Jeff and Graham, I will definitely give it a try.

(18 Aug '16, 14:59) geniusgenie007
question asked: 18 Aug '16, 07:54

question was seen: 1,235 times

last updated: 18 Aug '16, 14:59

