How to filter packets with distinct source address in wireshark?

wireshark sorting packet pcap

10,675

Solution 1

Use the IPv4 tab in the Endpoints (or Conversations) item under the Statistics menu to see a list of unique hosts (or conversations). You can further filter your capture from here too by right-clicking on a specific entry.

Solution 2

From your comment to EMK's answer, it seems what you're looking for is a unique list of source IP addresses in a capture file. Assuming so, you can achieve this with tshark as follows:

On *nix platforms:

tshark -r capture.pcap -T fields -e ip.src | sort -u

On Windows, you will probably need a batch file to accomplish equivalent of sort -u. You can probably use the one provided here, and provided below:

tshark.exe -r capture.pcap -T fields -e ip.src > uniqinput.txt
sortuniq.bat uniqinput.txt

Batch file:

@echo off
setlocal disabledelayedexpansion
set "prev="
for /f "delims=" %%F in ('sort uniqinput.txt') do (
  set "curr=%%F"
  setlocal enabledelayedexpansion
  if "!prev!" neq "!curr!" echo !curr!
  endlocal
  set "prev=%%F"
)

10,675

Richard

Updated on September 18, 2022

Comments

Richard over 1 year

I have a pcap file and I want to wireshark shows me packets with distinct source address. How can I do this in wireshark?
Richard over 7 years

No, suppose that we have 10 packets, and 4 of these have ip.src == 192.168.1.100, 4 of others have ip,src == 192.168.1.101 and remainder have ip.src == 192.168.1.102. Now I want to wireshark shows me just three packets with ip.src == 192.168.1.100, 192.168.1.101 and 192.168.1.102.
Richard over 7 years

I tried this before, But in the Endpoints, there isn't any packet to show.
Richard over 7 years

Where is the output of this?: 'tshark -r capture.pcap -T fields -e ip.src | sort -u'
Christopher Maynard over 7 years

The output goes to stdout by default; you can redirect it to a file or pipe it to another command if you wish.