Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > filtering out unique IPs from pcap file

Reply
Thread Tools Display Modes

filtering out unique IPs from pcap file

 
 
AA
Guest
Posts: n/a

 
      08-23-2006, 11:21 AM
I have a pcap file with traffic from multiple hosts. What would be an
easy way to parse this file in order to pull out a list of unique IP
addresses from this pcap file? I'm thinking it will probably use a
command line utility like snort/tcpdump/tethereal to read the pcap and
then perhaps run it through a bit of perl to help sort/organize, but
this will probably take me a long time to figure out. Any suggestions
or guidance greatly appreciated!

Thanks.
 
Reply With Quote
 
 
 
 
Moe Trin
Guest
Posts: n/a

 
      08-24-2006, 12:14 AM
On Wed, 23 Aug 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <zSWGg.587$(E-Mail Removed) >, AA wrote:

>I have a pcap file with traffic from multiple hosts.

What are you defining as a 'pcap file'? What application captured it?

>What would be an easy way to parse this file in order to pull out a
>list of unique IP addresses from this pcap file? I'm thinking it will
>probably use a command line utility like snort/tcpdump/tethereal to read
>the pcap and then perhaps run it through a bit of perl to help
>sort/organize, but this will probably take me a long time to figure out.
>Any suggestions or guidance greatly appreciated!

Assuming you can cause tcpdump to read the file (man tcpdump - perhaps the
-r option), the output of '/usr/sbin/tcpdump -r /name/of/file > /tmp/file'
should be a datestamp, source, destination, description per line - something
like

17:13:20.630000 221.208.208.2.32775 > 192.0.2.101.1026: udp 469 (DF)
17:13:20.720000 221.208.208.2.32775 > 192.0.2.101.1027: udp 469 (DF)

That happens to be windoze messenger spam[1], but TCP will look similar.
ICMP and ARP would lack the fifth dotted part of the address, as they don't
use port numbers. To grab the source IP, a quick/dirty would be

cut -d' ' -f2 < /tmp/file | cut -d'.' -f1-4 | sort -un | column

That takes the second field (separator is a space) from each line in the
source, then takes the first four fields (separator is a dot) from that
result, and tosses that to 'sort'. The pipe to column is just to reduce
the length of this post. The result would look something like

[compton ~]$ cut -d' ' -f2 < messenger.spam | cut -d'.' -f1-4 | sort -un
| column
61.138.136.28 68.213.97.221 218.27.102.66 221.12.40.144 221.5.251.242
61.152.158.109 106.33.199.161 218.66.104.206 221.208.208.2 222.134.45.52
68.209.4.133 218.108.238.78 221.10.254.100 221.211.255.11 222.77.185.167
[compton ~]$

You could also use 'awk', 'perl', and several other tools - a better
solution is to use the tool you are familiar with and get the job done.
Pretty can come later. See the man pages, and TheGrendel's fabulous LDP
"Advanced Bash Scripting Guide" for a lot more ideas.

Old guy

[1] which means that these addresses are probably spoofed
 
Reply With Quote
Reply

« Limit maximum TCP connections for NAT connection | Clearing CLOSE_WAIT connections? »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Pcap and packets lancer6238@yahoo.com Linux Networking 0 11-10-2008 05:42 AM
Win Pcap will it cause network problems? Eric Home Networking 1 02-07-2006 10:00 AM
filter pcap files Matt Linux Networking 2 05-20-2005 02:38 AM
pcap file help jly Linux Networking 1 05-27-2004 11:27 PM
Suggested Improvement - Log file filtering Frank Broadband Hardware 0 02-15-2004 01:24 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11