I've got 50-100MB pcap files captured from Wireshark and need to analyze where most of the traffic is going to/coming from.
What's the best way of doing this? Ideally I'd like to end up with an Excel csv file showing the top 50 or so IP addresses so I can sort and analyze.
You can also use tshark statistics:
Here are some examples:
$ tshark -r http.pcap -q -z conv,eth -z conv,ip -z conv,tcp TCP Conversations Filter: | | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 192.168.108.128:1047 64.186.152.93:80 9 7834 7 1358 16 9192 192.168.108.128:1048 64.186.152.93:80 4 1868 4 623 8 2491 ================================================================================ ================================================================================ IPv4 Conversations Filter: | | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 192.168.108.128 64.186.152.93 13 9702 11 1981 24 11683 192.168.108.128 192.168.108.2 1 202 1 73 2 275 ================================================================================ ================================================================================ Ethernet Conversations Filter: | | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 00:0c:29:61:82:89 00:50:56:ee:98:59 14 9904 13 2096 27 12000 00:50:56:ee:98:59 ff:ff:ff:ff:ff:ff 0 0 1 60 1 60 ================================================================================ $ tshark -r http.pcap -q -z conv,eth,eth.addr==00:0c:29:61:82:89 -z conv,ip,ip.addr==192.168.108.2 -z conv,tcp,ip.addr==64.186.152.93 ================================================================================ TCP Conversations Filter:ip.addr==64.186.152.93 | | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 192.168.108.128:1047 64.186.152.93:80 9 7834 7 1358 16 9192 192.168.108.128:1048 64.186.152.93:80 4 1868 4 623 8 2491 ================================================================================ ================================================================================ IPv4 Conversations Filter:ip.addr==192.168.108.2 | | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 192.168.108.128 192.168.108.2 1 202 1 73 2 275 ================================================================================ ================================================================================ Ethernet Conversations Filter:eth.addr==00:0c:29:61:82:89 | | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 00:0c:29:61:82:89 00:50:56:ee:98:59 14 9904 13 2096 27 12000 ================================================================================by source address
by dest address
pipe either of those to | sort | uniq -c | sort -n | tail -50
you can get the top src/dst pairs with
To get a list of fields you can work with
(warning, wireshark has an overwhelming list of fields)