First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

One Entry per Source-IP/Dest-Port

  • retag add tags

I have a couple huge Wireshark captures that I need to analyze and report on. Basically I am trying to prove 'what' and 'how' is talking to a pair of servers due to be decommissioned.

After I apply my filter (basically for the RFC1918 ranges used by the company) I still end up with over a million packets for each server.

I just need to report on which IPs are talking to these servers, and on which port in an excel format. Something like:

Source: 10.1.1.1 Port: 430 Server responded (y/n): yes

Obviously this is a pcap, so its not just a single traffic, and in the case of SMB its scattered all over the place and may be thousands of packets for what will eventually be a single row in my excel sheet.

Is there any way I can filter each source-IP/dest-port combination into a single entry, without having to manually go over these gigantic captures?

Many thanks,

Josh

Acrylic's avatar
1
Acrylic
asked 2021-01-06 14:28:31 +0000, updated 2021-01-06 14:29:27 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

In the Statistics menu there is an item "Endpoints" that displays a dialog which (for various protocols as shown on the tabs) lists the addresses and ports as applicable for all hosts in the capture.

Similarly there is a "Conversations" dialog that shows the conversations between the hosts in the capture.

Both these dialogs have a checkbox to limit the details to the current display filter.

grahamb's avatar
23.8k
grahamb
answered 2021-01-06 15:04:16 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

Have you looked at using tshark to extract the data?
SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)

(sample capture used here from the Wireshark Wiki)

$ tshark -r ./smbtorture.cap.gz -Y "ip.dst==192.168.114.129" -T fields -e ip.src -e tcp.dstport -e udp.dstport -e _ws.col.Protocol | sort | uniq
192.168.114.1           389     CLDAP
192.168.114.1           49157   DNS
192.168.114.1           49178   DNS
192.168.114.1   139             NBSS
192.168.114.1   139             TCP
192.168.114.1   445             DCERPC
192.168.114.1   445             LANMAN
192.168.114.1   445             LSARPC
192.168.114.1   445             SMB
192.168.114.1   445             TCP
192.168.114.129,192.168.114.1           389     ICMP
192.168.114.254         68      DHCP
$

Query below shows response packets from the server.
If on Windows sort has a /unique option:

C:\>tshark -r smbtorture.cap.gz -Y "ip.src==192.168.114.129" -T fields -e ip.dst -e tcp.srcport -e udp.srcport  | sort /unique
192.168.114.1           49157
192.168.114.1           49178
192.168.114.1   139
192.168.114.1   445
192.168.114.1,192.168.114.129           32811
192.168.114.254         68
192.168.114.255         137
192.168.114.255         138
224.0.0.22
Chuckc's avatar
3k
Chuckc
answered 2021-01-06 16:07:58 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer