I need to create a display filter that does the following: For each source IP address, list all destination IP addresses, but only list unique protocols for each destination IP address.
In other words, I want to see only one row of data for each unique:
ip.src = X, ip.dst = Y, protocol = Z
I'd like to create this filter such that it covers all source IPs, so I don't have to create a separate filter for each source IP address.
I need to do the above for many PCAP files in "batch" mode. If this cannot be done in the Wireshark GUI, then I would like a command-line (tshark) solution.
Best Answer
When I've done that sort of thing before, I typically use
tsharkto extract the data and then other tools (Python, Perl, awk, etc.) to further refine the resulting data. So with that approach in mind, you could use this:With that command line, you'll get exactly those fields, but be aware that some lines, such as those with ARP packets, won't have IP addresses (because they're not IP packets), and that IPv6 packets won't show IP addresses because those field names (
ip.srcandip.dst) are only for IPv4. Here's sample output from a capture file I happened to have handy:If you'd prefer to eliminate the non-IPv4 packets, just add a filter:
Under Linux (which is what I use), you can easily pipe the output of that into various other utility programs. For example, if you append this to that command line:
You'll get list, in ascending order of frequency, of each unique src, dst and proto combination present within your sample file.