2

I have a pcap file and I want to wireshark shows me packets with distinct source address. How can I do this in wireshark?

Richard
  • 117
  • 2
  • 2
  • 9

3 Answers3

2

Use the IPv4 tab in the Endpoints (or Conversations) item under the Statistics menu to see a list of unique hosts (or conversations). You can further filter your capture from here too by right-clicking on a specific entry.

enter image description here

enter image description here

Jens Ehrich
  • 865
  • 5
  • 11
1

From your comment to EMK's answer, it seems what you're looking for is a unique list of source IP addresses in a capture file. Assuming so, you can achieve this with tshark as follows:

On *nix platforms:

tshark -r capture.pcap -T fields -e ip.src | sort -u

On Windows, you will probably need a batch file to accomplish equivalent of sort -u. You can probably use the one provided here, and provided below:

tshark.exe -r capture.pcap -T fields -e ip.src > uniqinput.txt
sortuniq.bat uniqinput.txt

Batch file:

@echo off
setlocal disabledelayedexpansion
set "prev="
for /f "delims=" %%F in ('sort uniqinput.txt') do (
  set "curr=%%F"
  setlocal enabledelayedexpansion
  if "!prev!" neq "!curr!" echo !curr!
  endlocal
  set "prev=%%F"
)
Community
  • 1
Christopher Maynard
  • 471
  • 2
  • 8
0

I assume you are looking for the IPV4 source, e.g.

ip.src == 192.168.0.200

Tip: In the Packet View, you can right click a value and choose "Apply as filter".

HelpingHand
  • 2,248
  • 10
  • 14
  • No, suppose that we have 10 packets, and 4 of these have ip.src == 192.168.1.100, 4 of others have ip,src == 192.168.1.101 and remainder have ip.src == 192.168.1.102. Now I want to wireshark shows me just three packets with ip.src == 192.168.1.100, 192.168.1.101 and 192.168.1.102. – Richard Jan 23 '17 at 21:54