Wireshark 显示过滤器，用于唯一源/目标 IP 和协议 [英] Wireshark Display Filter for Unique Source/Destination IP and Protocol

问题描述

我需要创建一个执行以下操作的显示过滤器:对于每个源 IP 地址，列出所有目标 IP 地址，但仅列出每个目标 IP 地址的唯一协议.

I need to create a display filter that does the following: For each source IP address, list all destination IP addresses, but only list unique protocols for each destination IP address.

换句话说，我只想看到每个唯一的一行数据:ip.src = X，ip.dst = Y，协议 = Z

In other words, I want to see only one row of data for each unique: ip.src = X, ip.dst = Y, protocol = Z

我想创建此过滤器，使其涵盖所有源 IP，因此我不必为每个源 IP 地址创建单独的过滤器.

I'd like to create this filter such that it covers all source IPs, so I don't have to create a separate filter for each source IP address.

我需要在批处理"模式下对许多 PCAP 文件执行上述操作.如果这不能在 Wireshark GUI 中完成，那么我想要一个命令行 (tshark) 解决方案.

I need to do the above for many PCAP files in "batch" mode. If this cannot be done in the Wireshark GUI, then I would like a command-line (tshark) solution.

推荐答案

当我以前做过这样的事情时，我通常使用 tshark 来提取数据，然后使用其他工具(Python、Perl、awk 等)以进一步细化结果数据.因此，考虑到这种方法，您可以使用以下方法:

When I've done that sort of thing before, I typically use tshark to extract the data and then other tools (Python, Perl, awk, etc.) to further refine the resulting data. So with that approach in mind, you could use this:

tshark -r mysample.pcapng.gz -2 -Tfields -eip.src -eip.dst -eframe.protocols

使用该命令行，您将获得这些字段，但请注意，某些行(例如带有 ARP 数据包的行)将没有 IP 地址(因为它们不是 IP 数据包)，并且 IPv6 数据包不会显示 IP 地址，因为这些字段名称(ip.src 和 ip.dst)仅适用于 IPv4.这是我碰巧手边的捕获文件的示例输出:

With that command line, you'll get exactly those fields, but be aware that some lines, such as those with ARP packets, won't have IP addresses (because they're not IP packets), and that IPv6 packets won't show IP addresses because those field names (ip.src and ip.dst) are only for IPv4. Here's sample output from a capture file I happened to have handy:

10.68.40.152    224.0.0.252 eth:ethertype:ip:udp:dns
10.68.40.119    255.255.255.255 eth:ethertype:ip:udp:db-lsp-disc
10.68.40.119    10.68.41.255    eth:ethertype:ip:udp:db-lsp-disc
        eth:ethertype:arp
10.68.40.152    224.0.0.252 eth:ethertype:ip:udp:dns
10.68.40.65 10.68.41.255    eth:ethertype:ip:udp:nbns
        eth:ethertype:ipv6:ipv6.nxt:udp:dns
        eth:ethertype:ipv6:ipv6.nxt:udp:dns

如果您希望消除非 IPv4 数据包，只需添加一个过滤器:

If you'd prefer to eliminate the non-IPv4 packets, just add a filter:

tshark -r mysample.pcapng.gz -2 -Tfields -R ip -eip.src -eip.dst -eframe.protocols

在 Linux(这是我使用的)下，您可以轻松地将其输出通过管道传输到各种其他实用程序中.例如，如果您将其附加到该命令行:

Under Linux (which is what I use), you can easily pipe the output of that into various other utility programs. For example, if you append this to that command line:

|sort -n |uniq -c |sort -n 

您将获得示例文件中存在的每个唯一 src、dst 和 proto 组合的列表(按频率升序排列).

You'll get list, in ascending order of frequency, of each unique src, dst and proto combination present within your sample file.

这篇关于Wireshark 显示过滤器，用于唯一源/目标 IP 和协议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！