OSQA is unmaintained. Help us figure out where to go from here.

Hi there, I am looking to analyse a PCAP file generated using wireshark. Is there any possibility to use a filter that generates a list of protocols found in the capture? same thing with the list IPs and host/domain names in the capture file.

Regards

asked 18 Aug '16, 07:54

geniusgenie007's gravatar image

geniusgenie007
6224
accept rate: 0%


Have a look at the Wireshark Statistics menu, in particular the Protocol Hierarchy and Endpoints options.

permanent link

answered 18 Aug '16, 08:10

grahamb's gravatar image

grahamb ♦
19.6k330205
accept rate: 22%

Actually, I am looking to use custom filters to do this task to make myself understand wireshark better.

(18 Aug '16, 08:12) geniusgenie007

This can't be done with filters, as they only give a match\no match for each frame to display it and don't take into account values in other frames. To show distinct values among frames, e.g. protocol hierarchy requires a "tap" which is what the items under the statistics menu use.

(18 Aug '16, 08:26) grahamb ♦

You'll probably want to do that kind of think in tshark (as Graham said, this isn't something to do with filters).

For your specific example of getting all the protocols in a file there's actually already a shell script for that (in the Wireshark source code, it's not installed when you install Wireshark): tools/list_protos_in_cap.sh.

Fundamentally the script just runs tshark -T fields -e frame.protocols -nr /path/to/file then does a little more magic to remove duplicate protocols.

Similar mechanisms can be used to find IP addresses, etc.

permanent link

answered 18 Aug '16, 10:27

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thanks a lot Jeff and Graham, I will definitely give it a try.

(18 Aug '16, 14:59) geniusgenie007
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,611
×232

question asked: 18 Aug '16, 07:54

question was seen: 1,235 times

last updated: 18 Aug '16, 14:59

p​o​w​e​r​e​d by O​S​Q​A