Hi,
I'm new to Wireshark. What I want to do is to do 2 captures. I want to make a filter out of the IP-addresses that are present in the first capture. I want to filter out those IP-addresses in the second capture. How do I do this without having to write ip.addr != address from first capture for all of the IP-addresses?
You can do this with tshark, either with copy & paste or in one go to extract packets from the second file into a third.
In a shell (bash or other) you can do the following to create a comma separated list of the ip addresses in the first file:
tshark -r <first-file> -T fields -E occurrence=f -e ip.src | sort -u | paste -d, -s -
You can copy & paste this into this display filter not ip.addr in {<copied list>} in Wireshark.
You can also create a new file in one go with the following command:
tshark -r <second file> -w <third file> -Y "not ip.addr in {$(tshark -r <first-file> -T fields -E occurrence=f -e ip.src | sort -u | paste -d, -s -)}"
And then open up the third file in Wireshark :-)
If you're on Windows, use a (bash) shell in WSL or CYGWIN or you can look up the equivalent of these commands for CMD or Powershell.
Comments