Find the top 5 (according to number of packets sent) source IP addresses

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
4
down vote

favorite
4












I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.



I have come up with the below command:



$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'


where




  • tshark -r reads the pcap file


  • assign.pcap is the packet capture file


  • sort -n -7 sorts the file based on column 7 (this column has length of package for each ip address)


  • tail -n 5 print the last 5 records that has the highest length for packet


  • awk 'print $3 prints only the third column.

Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3 from this link but this also doesn't print unique ip addresses!



Can anyone help please?



My pcap file column header look like this:



   enter image description here







share|improve this question





















  • can u share the result of tshark?
    – SivaPrasath
    Jul 5 at 4:48














up vote
4
down vote

favorite
4












I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.



I have come up with the below command:



$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'


where




  • tshark -r reads the pcap file


  • assign.pcap is the packet capture file


  • sort -n -7 sorts the file based on column 7 (this column has length of package for each ip address)


  • tail -n 5 print the last 5 records that has the highest length for packet


  • awk 'print $3 prints only the third column.

Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3 from this link but this also doesn't print unique ip addresses!



Can anyone help please?



My pcap file column header look like this:



   enter image description here







share|improve this question





















  • can u share the result of tshark?
    – SivaPrasath
    Jul 5 at 4:48












up vote
4
down vote

favorite
4









up vote
4
down vote

favorite
4






4





I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.



I have come up with the below command:



$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'


where




  • tshark -r reads the pcap file


  • assign.pcap is the packet capture file


  • sort -n -7 sorts the file based on column 7 (this column has length of package for each ip address)


  • tail -n 5 print the last 5 records that has the highest length for packet


  • awk 'print $3 prints only the third column.

Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3 from this link but this also doesn't print unique ip addresses!



Can anyone help please?



My pcap file column header look like this:



   enter image description here







share|improve this question













I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.



I have come up with the below command:



$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'


where




  • tshark -r reads the pcap file


  • assign.pcap is the packet capture file


  • sort -n -7 sorts the file based on column 7 (this column has length of package for each ip address)


  • tail -n 5 print the last 5 records that has the highest length for packet


  • awk 'print $3 prints only the third column.

Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3 from this link but this also doesn't print unique ip addresses!



Can anyone help please?



My pcap file column header look like this:



   enter image description here









share|improve this question












share|improve this question




share|improve this question








edited Jul 5 at 5:01









slm♦

233k65479651




233k65479651









asked Jul 5 at 3:50









Hazmat

1314




1314











  • can u share the result of tshark?
    – SivaPrasath
    Jul 5 at 4:48
















  • can u share the result of tshark?
    – SivaPrasath
    Jul 5 at 4:48















can u share the result of tshark?
– SivaPrasath
Jul 5 at 4:48




can u share the result of tshark?
– SivaPrasath
Jul 5 at 4:48










2 Answers
2






active

oldest

votes

















up vote
4
down vote













I think if you reorganize the output from tshark using -T fields it's much easier. I was able to accomplish what you want like so:



$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92 10.0.2.2
92 10.0.2.2
92 10.0.2.2
100 10.0.2.15
156 10.0.2.15


tshark fields



You can use this command to get a list of all the fields:



$ tshark -G field


But I found that a bit difficult to read. If you want to understand the columns in the -G field output, they're described here: tshark - Dump and analyze network traffic:



 * Header Fields
* -------------
* Field 1 = 'F'
* Field 2 = descriptive field name
* Field 3 = field abbreviation
* Field 4 = type (textual representation of the ftenum type)
* Field 5 = parent protocol abbreviation
* Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
* Field 7 = bitmask: format: hex: 0x....
* Field 8 = blurb describing field


You can use this grep to filter the output if you're brave:



$ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
F Source ip.src FT_IPv4 ip 0x0


References



  • enter link description here

  • tshark tutorial and filter examples

  • Counting IP occurrences in PCAP file using tshark

  • Specific IP address display filter using tshark





share|improve this answer






























    up vote
    1
    down vote



    accepted










    So after getting a hint from this answer, I came up with this script:



    $ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt


    Explaining each command in the line:




    • tshark -r assign1.pcap read the pcap file


    • sort -n -r -k7 numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]


    • awk '!seen[$3]++' print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPs


    • awk 'print $3' only print the 3rd column (source ip address)


    • head -n 5 >> result.txt since I need the top 5, so I limited my results to only 5 by using the head command, also last >> result.txt appends the terminal result to text file.

    I hope this helps anyone else working with the same type of problem :)






    share|improve this answer





















      Your Answer







      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: false,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );








       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453520%2ffind-the-top-5-according-to-number-of-packets-sent-source-ip-addresses%23new-answer', 'question_page');

      );

      Post as a guest






























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      4
      down vote













      I think if you reorganize the output from tshark using -T fields it's much easier. I was able to accomplish what you want like so:



      $ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
      92 10.0.2.2
      92 10.0.2.2
      92 10.0.2.2
      100 10.0.2.15
      156 10.0.2.15


      tshark fields



      You can use this command to get a list of all the fields:



      $ tshark -G field


      But I found that a bit difficult to read. If you want to understand the columns in the -G field output, they're described here: tshark - Dump and analyze network traffic:



       * Header Fields
      * -------------
      * Field 1 = 'F'
      * Field 2 = descriptive field name
      * Field 3 = field abbreviation
      * Field 4 = type (textual representation of the ftenum type)
      * Field 5 = parent protocol abbreviation
      * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
      * Field 7 = bitmask: format: hex: 0x....
      * Field 8 = blurb describing field


      You can use this grep to filter the output if you're brave:



      $ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
      F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
      F Source ip.src FT_IPv4 ip 0x0


      References



      • enter link description here

      • tshark tutorial and filter examples

      • Counting IP occurrences in PCAP file using tshark

      • Specific IP address display filter using tshark





      share|improve this answer



























        up vote
        4
        down vote













        I think if you reorganize the output from tshark using -T fields it's much easier. I was able to accomplish what you want like so:



        $ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
        92 10.0.2.2
        92 10.0.2.2
        92 10.0.2.2
        100 10.0.2.15
        156 10.0.2.15


        tshark fields



        You can use this command to get a list of all the fields:



        $ tshark -G field


        But I found that a bit difficult to read. If you want to understand the columns in the -G field output, they're described here: tshark - Dump and analyze network traffic:



         * Header Fields
        * -------------
        * Field 1 = 'F'
        * Field 2 = descriptive field name
        * Field 3 = field abbreviation
        * Field 4 = type (textual representation of the ftenum type)
        * Field 5 = parent protocol abbreviation
        * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
        * Field 7 = bitmask: format: hex: 0x....
        * Field 8 = blurb describing field


        You can use this grep to filter the output if you're brave:



        $ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
        F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
        F Source ip.src FT_IPv4 ip 0x0


        References



        • enter link description here

        • tshark tutorial and filter examples

        • Counting IP occurrences in PCAP file using tshark

        • Specific IP address display filter using tshark





        share|improve this answer

























          up vote
          4
          down vote










          up vote
          4
          down vote









          I think if you reorganize the output from tshark using -T fields it's much easier. I was able to accomplish what you want like so:



          $ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
          92 10.0.2.2
          92 10.0.2.2
          92 10.0.2.2
          100 10.0.2.15
          156 10.0.2.15


          tshark fields



          You can use this command to get a list of all the fields:



          $ tshark -G field


          But I found that a bit difficult to read. If you want to understand the columns in the -G field output, they're described here: tshark - Dump and analyze network traffic:



           * Header Fields
          * -------------
          * Field 1 = 'F'
          * Field 2 = descriptive field name
          * Field 3 = field abbreviation
          * Field 4 = type (textual representation of the ftenum type)
          * Field 5 = parent protocol abbreviation
          * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
          * Field 7 = bitmask: format: hex: 0x....
          * Field 8 = blurb describing field


          You can use this grep to filter the output if you're brave:



          $ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
          F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
          F Source ip.src FT_IPv4 ip 0x0


          References



          • enter link description here

          • tshark tutorial and filter examples

          • Counting IP occurrences in PCAP file using tshark

          • Specific IP address display filter using tshark





          share|improve this answer















          I think if you reorganize the output from tshark using -T fields it's much easier. I was able to accomplish what you want like so:



          $ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
          92 10.0.2.2
          92 10.0.2.2
          92 10.0.2.2
          100 10.0.2.15
          156 10.0.2.15


          tshark fields



          You can use this command to get a list of all the fields:



          $ tshark -G field


          But I found that a bit difficult to read. If you want to understand the columns in the -G field output, they're described here: tshark - Dump and analyze network traffic:



           * Header Fields
          * -------------
          * Field 1 = 'F'
          * Field 2 = descriptive field name
          * Field 3 = field abbreviation
          * Field 4 = type (textual representation of the ftenum type)
          * Field 5 = parent protocol abbreviation
          * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
          * Field 7 = bitmask: format: hex: 0x....
          * Field 8 = blurb describing field


          You can use this grep to filter the output if you're brave:



          $ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
          F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
          F Source ip.src FT_IPv4 ip 0x0


          References



          • enter link description here

          • tshark tutorial and filter examples

          • Counting IP occurrences in PCAP file using tshark

          • Specific IP address display filter using tshark






          share|improve this answer















          share|improve this answer



          share|improve this answer








          edited Jul 5 at 6:15


























          answered Jul 5 at 5:41









          slm♦

          233k65479651




          233k65479651






















              up vote
              1
              down vote



              accepted










              So after getting a hint from this answer, I came up with this script:



              $ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt


              Explaining each command in the line:




              • tshark -r assign1.pcap read the pcap file


              • sort -n -r -k7 numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]


              • awk '!seen[$3]++' print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPs


              • awk 'print $3' only print the 3rd column (source ip address)


              • head -n 5 >> result.txt since I need the top 5, so I limited my results to only 5 by using the head command, also last >> result.txt appends the terminal result to text file.

              I hope this helps anyone else working with the same type of problem :)






              share|improve this answer

























                up vote
                1
                down vote



                accepted










                So after getting a hint from this answer, I came up with this script:



                $ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt


                Explaining each command in the line:




                • tshark -r assign1.pcap read the pcap file


                • sort -n -r -k7 numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]


                • awk '!seen[$3]++' print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPs


                • awk 'print $3' only print the 3rd column (source ip address)


                • head -n 5 >> result.txt since I need the top 5, so I limited my results to only 5 by using the head command, also last >> result.txt appends the terminal result to text file.

                I hope this helps anyone else working with the same type of problem :)






                share|improve this answer























                  up vote
                  1
                  down vote



                  accepted







                  up vote
                  1
                  down vote



                  accepted






                  So after getting a hint from this answer, I came up with this script:



                  $ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt


                  Explaining each command in the line:




                  • tshark -r assign1.pcap read the pcap file


                  • sort -n -r -k7 numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]


                  • awk '!seen[$3]++' print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPs


                  • awk 'print $3' only print the 3rd column (source ip address)


                  • head -n 5 >> result.txt since I need the top 5, so I limited my results to only 5 by using the head command, also last >> result.txt appends the terminal result to text file.

                  I hope this helps anyone else working with the same type of problem :)






                  share|improve this answer













                  So after getting a hint from this answer, I came up with this script:



                  $ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt


                  Explaining each command in the line:




                  • tshark -r assign1.pcap read the pcap file


                  • sort -n -r -k7 numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]


                  • awk '!seen[$3]++' print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPs


                  • awk 'print $3' only print the 3rd column (source ip address)


                  • head -n 5 >> result.txt since I need the top 5, so I limited my results to only 5 by using the head command, also last >> result.txt appends the terminal result to text file.

                  I hope this helps anyone else working with the same type of problem :)







                  share|improve this answer













                  share|improve this answer



                  share|improve this answer











                  answered Jul 6 at 3:33









                  Hazmat

                  1314




                  1314






















                       

                      draft saved


                      draft discarded


























                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453520%2ffind-the-top-5-according-to-number-of-packets-sent-source-ip-addresses%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?