![]() The ip.proto column here is 6 for TCP or 17 for UDP. One such command line would produce a comma-separated-value format: tshark -r file.pcap -E separator=, -T fields -e ip.proto -e ip.src -e tcp.srcport -e udp.srcport -e ip.dst -e tcp.dstport -e udp.dstport -Y "udp or tcp" Pipe any of the above to sort -u to get unique addresses/tuples.Īnother option is to produce an all-inclusive listing in a format suitable for loading into a spreadsheet and use spreadsheet functions to slice and dice as you see fit. Same for UDP: tshark -r file.pcap -T fields -e ip.src -e udp.srcport -e ip.dst -e udp.dstport -Y udp The right tool for extracting the things you want is probably tshark (the command line version of wireshark).Įxtract the destination IPs: tshark -r file.pcap -T fields -e ip.dstĮxtract TCP source, destination IPs and ports: tshark -r file.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -Y tcp And using grep on a pcap file is unlikely to give you what you want. The listing you showed at top appears to be from snort or suricata alert file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |