Find the top 5 (according to number of packets sent) source IP addresses
Clash Royale CLAN TAG#URR8PPP
up vote
4
down vote
favorite
I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.
I have come up with the below command:
$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'
where
tshark -r
reads the pcap fileassign.pcap
is the packet capture filesort -n -7
sorts the file based on column 7 (this column has length of package for each ip address)tail -n 5
print the last 5 records that has the highest length for packetawk 'print $3
prints only the third column.
Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq
command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3
from this link but this also doesn't print unique ip addresses!
Can anyone help please?
My pcap file column header look like this:
  Â
linux shell kali-linux sort tshark
add a comment |Â
up vote
4
down vote
favorite
I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.
I have come up with the below command:
$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'
where
tshark -r
reads the pcap fileassign.pcap
is the packet capture filesort -n -7
sorts the file based on column 7 (this column has length of package for each ip address)tail -n 5
print the last 5 records that has the highest length for packetawk 'print $3
prints only the third column.
Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq
command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3
from this link but this also doesn't print unique ip addresses!
Can anyone help please?
My pcap file column header look like this:
  Â
linux shell kali-linux sort tshark
can u share the result of tshark?
â SivaPrasath
Jul 5 at 4:48
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.
I have come up with the below command:
$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'
where
tshark -r
reads the pcap fileassign.pcap
is the packet capture filesort -n -7
sorts the file based on column 7 (this column has length of package for each ip address)tail -n 5
print the last 5 records that has the highest length for packetawk 'print $3
prints only the third column.
Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq
command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3
from this link but this also doesn't print unique ip addresses!
Can anyone help please?
My pcap file column header look like this:
  Â
linux shell kali-linux sort tshark
I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.
I have come up with the below command:
$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'
where
tshark -r
reads the pcap fileassign.pcap
is the packet capture filesort -n -7
sorts the file based on column 7 (this column has length of package for each ip address)tail -n 5
print the last 5 records that has the highest length for packetawk 'print $3
prints only the third column.
Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq
command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3
from this link but this also doesn't print unique ip addresses!
Can anyone help please?
My pcap file column header look like this:
  Â
linux shell kali-linux sort tshark
edited Jul 5 at 5:01
slmâ¦
233k65479651
233k65479651
asked Jul 5 at 3:50
Hazmat
1314
1314
can u share the result of tshark?
â SivaPrasath
Jul 5 at 4:48
add a comment |Â
can u share the result of tshark?
â SivaPrasath
Jul 5 at 4:48
can u share the result of tshark?
â SivaPrasath
Jul 5 at 4:48
can u share the result of tshark?
â SivaPrasath
Jul 5 at 4:48
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
4
down vote
I think if you reorganize the output from tshark
using -T fields
it's much easier. I was able to accomplish what you want like so:
$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92 10.0.2.2
92 10.0.2.2
92 10.0.2.2
100 10.0.2.15
156 10.0.2.15
tshark fields
You can use this command to get a list of all the fields:
$ tshark -G field
But I found that a bit difficult to read. If you want to understand the columns in the -G field
output, they're described here: tshark - Dump and analyze network traffic:
* Header Fields
* -------------
* Field 1 = 'F'
* Field 2 = descriptive field name
* Field 3 = field abbreviation
* Field 4 = type (textual representation of the ftenum type)
* Field 5 = parent protocol abbreviation
* Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
* Field 7 = bitmask: format: hex: 0x....
* Field 8 = blurb describing field
You can use this grep
to filter the output if you're brave:
$ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
F Source ip.src FT_IPv4 ip 0x0
References
- enter link description here
- tshark tutorial and filter examples
- Counting IP occurrences in PCAP file using tshark
- Specific IP address display filter using tshark
add a comment |Â
up vote
1
down vote
accepted
So after getting a hint from this answer, I came up with this script:
$ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt
Explaining each command in the line:
tshark -r assign1.pcap
read the pcap filesort -n -r -k7
numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]awk '!seen[$3]++'
print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPsawk 'print $3'
only print the 3rd column (source ip address)head -n 5 >> result.txt
since I need the top 5, so I limited my results to only 5 by using the head command, also last>> result.txt
appends the terminal result to text file.
I hope this helps anyone else working with the same type of problem :)
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
I think if you reorganize the output from tshark
using -T fields
it's much easier. I was able to accomplish what you want like so:
$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92 10.0.2.2
92 10.0.2.2
92 10.0.2.2
100 10.0.2.15
156 10.0.2.15
tshark fields
You can use this command to get a list of all the fields:
$ tshark -G field
But I found that a bit difficult to read. If you want to understand the columns in the -G field
output, they're described here: tshark - Dump and analyze network traffic:
* Header Fields
* -------------
* Field 1 = 'F'
* Field 2 = descriptive field name
* Field 3 = field abbreviation
* Field 4 = type (textual representation of the ftenum type)
* Field 5 = parent protocol abbreviation
* Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
* Field 7 = bitmask: format: hex: 0x....
* Field 8 = blurb describing field
You can use this grep
to filter the output if you're brave:
$ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
F Source ip.src FT_IPv4 ip 0x0
References
- enter link description here
- tshark tutorial and filter examples
- Counting IP occurrences in PCAP file using tshark
- Specific IP address display filter using tshark
add a comment |Â
up vote
4
down vote
I think if you reorganize the output from tshark
using -T fields
it's much easier. I was able to accomplish what you want like so:
$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92 10.0.2.2
92 10.0.2.2
92 10.0.2.2
100 10.0.2.15
156 10.0.2.15
tshark fields
You can use this command to get a list of all the fields:
$ tshark -G field
But I found that a bit difficult to read. If you want to understand the columns in the -G field
output, they're described here: tshark - Dump and analyze network traffic:
* Header Fields
* -------------
* Field 1 = 'F'
* Field 2 = descriptive field name
* Field 3 = field abbreviation
* Field 4 = type (textual representation of the ftenum type)
* Field 5 = parent protocol abbreviation
* Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
* Field 7 = bitmask: format: hex: 0x....
* Field 8 = blurb describing field
You can use this grep
to filter the output if you're brave:
$ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
F Source ip.src FT_IPv4 ip 0x0
References
- enter link description here
- tshark tutorial and filter examples
- Counting IP occurrences in PCAP file using tshark
- Specific IP address display filter using tshark
add a comment |Â
up vote
4
down vote
up vote
4
down vote
I think if you reorganize the output from tshark
using -T fields
it's much easier. I was able to accomplish what you want like so:
$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92 10.0.2.2
92 10.0.2.2
92 10.0.2.2
100 10.0.2.15
156 10.0.2.15
tshark fields
You can use this command to get a list of all the fields:
$ tshark -G field
But I found that a bit difficult to read. If you want to understand the columns in the -G field
output, they're described here: tshark - Dump and analyze network traffic:
* Header Fields
* -------------
* Field 1 = 'F'
* Field 2 = descriptive field name
* Field 3 = field abbreviation
* Field 4 = type (textual representation of the ftenum type)
* Field 5 = parent protocol abbreviation
* Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
* Field 7 = bitmask: format: hex: 0x....
* Field 8 = blurb describing field
You can use this grep
to filter the output if you're brave:
$ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
F Source ip.src FT_IPv4 ip 0x0
References
- enter link description here
- tshark tutorial and filter examples
- Counting IP occurrences in PCAP file using tshark
- Specific IP address display filter using tshark
I think if you reorganize the output from tshark
using -T fields
it's much easier. I was able to accomplish what you want like so:
$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92 10.0.2.2
92 10.0.2.2
92 10.0.2.2
100 10.0.2.15
156 10.0.2.15
tshark fields
You can use this command to get a list of all the fields:
$ tshark -G field
But I found that a bit difficult to read. If you want to understand the columns in the -G field
output, they're described here: tshark - Dump and analyze network traffic:
* Header Fields
* -------------
* Field 1 = 'F'
* Field 2 = descriptive field name
* Field 3 = field abbreviation
* Field 4 = type (textual representation of the ftenum type)
* Field 5 = parent protocol abbreviation
* Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
* Field 7 = bitmask: format: hex: 0x....
* Field 8 = blurb describing field
You can use this grep
to filter the output if you're brave:
$ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
F Source ip.src FT_IPv4 ip 0x0
References
- enter link description here
- tshark tutorial and filter examples
- Counting IP occurrences in PCAP file using tshark
- Specific IP address display filter using tshark
edited Jul 5 at 6:15
answered Jul 5 at 5:41
slmâ¦
233k65479651
233k65479651
add a comment |Â
add a comment |Â
up vote
1
down vote
accepted
So after getting a hint from this answer, I came up with this script:
$ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt
Explaining each command in the line:
tshark -r assign1.pcap
read the pcap filesort -n -r -k7
numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]awk '!seen[$3]++'
print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPsawk 'print $3'
only print the 3rd column (source ip address)head -n 5 >> result.txt
since I need the top 5, so I limited my results to only 5 by using the head command, also last>> result.txt
appends the terminal result to text file.
I hope this helps anyone else working with the same type of problem :)
add a comment |Â
up vote
1
down vote
accepted
So after getting a hint from this answer, I came up with this script:
$ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt
Explaining each command in the line:
tshark -r assign1.pcap
read the pcap filesort -n -r -k7
numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]awk '!seen[$3]++'
print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPsawk 'print $3'
only print the 3rd column (source ip address)head -n 5 >> result.txt
since I need the top 5, so I limited my results to only 5 by using the head command, also last>> result.txt
appends the terminal result to text file.
I hope this helps anyone else working with the same type of problem :)
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
So after getting a hint from this answer, I came up with this script:
$ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt
Explaining each command in the line:
tshark -r assign1.pcap
read the pcap filesort -n -r -k7
numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]awk '!seen[$3]++'
print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPsawk 'print $3'
only print the 3rd column (source ip address)head -n 5 >> result.txt
since I need the top 5, so I limited my results to only 5 by using the head command, also last>> result.txt
appends the terminal result to text file.
I hope this helps anyone else working with the same type of problem :)
So after getting a hint from this answer, I came up with this script:
$ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt
Explaining each command in the line:
tshark -r assign1.pcap
read the pcap filesort -n -r -k7
numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]awk '!seen[$3]++'
print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPsawk 'print $3'
only print the 3rd column (source ip address)head -n 5 >> result.txt
since I need the top 5, so I limited my results to only 5 by using the head command, also last>> result.txt
appends the terminal result to text file.
I hope this helps anyone else working with the same type of problem :)
answered Jul 6 at 3:33
Hazmat
1314
1314
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453520%2ffind-the-top-5-according-to-number-of-packets-sent-source-ip-addresses%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
can u share the result of tshark?
â SivaPrasath
Jul 5 at 4:48