mjhjmtu

I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.

I have come up with the below command:

$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk 'print $3'

where

• 
  tshark -r reads the pcap file


• 
  assign.pcap is the packet capture file


• 
  sort -n -7 sorts the file based on column 7 (this column has length of package for each ip address)


• 
  tail -n 5 print the last 5 records that has the highest length for packet


• 
  awk 'print $3 prints only the third column.

Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3 from this link but this also doesn't print unique ip addresses!

Can anyone help please?

My pcap file column header look like this:

   

I think if you reorganize the output from tshark using -T fields it's much easier. I was able to accomplish what you want like so:

$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92 10.0.2.2
92 10.0.2.2
92 10.0.2.2
100 10.0.2.15
156 10.0.2.15

tshark fields

You can use this command to get a list of all the fields:

$ tshark -G field

But I found that a bit difficult to read. If you want to understand the columns in the -G field output, they're described here: tshark - Dump and analyze network traffic:

 * Header Fields
 * -------------
 * Field 1 = 'F'
 * Field 2 = descriptive field name
 * Field 3 = field abbreviation
 * Field 4 = type (textual representation of the ftenum type)
 * Field 5 = parent protocol abbreviation
 * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
 * Field 7 = bitmask: format: hex: 0x....
 * Field 8 = blurb describing field

You can use this grep to filter the output if you're brave:

$ tshark -G fields | grep -P 's+(ip.src|frame.len)s+'
F Frame length on the wire frame.len FT_UINT32 frame BASE_DEC 0x0
F Source ip.src FT_IPv4 ip 0x0

References

• enter link description here


• tshark tutorial and filter examples


• Counting IP occurrences in PCAP file using tshark


• Specific IP address display filter using tshark

So after getting a hint from this answer, I came up with this script:

$ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk 'print $3' | head -n 5 >> result.txt

Explaining each command in the line:

• 
  tshark -r assign1.pcap read the pcap file


• 
  sort -n -r -k7 numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]


• 
  awk '!seen[$3]++' print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPs


• 
  awk 'print $3' only print the 3rd column (source ip address)


• 
  head -n 5 >> result.txt since I need the top 5, so I limited my results to only 5 by using the head command, also last >> result.txt appends the terminal result to text file.

I hope this helps anyone else working with the same type of problem :)