![]() If you want both, you will need to use a newline as the separator between the source and destination address, to put them on separate lines, so sort will sort both source and destination addresses and uniq will find unique addresses. (It wouldn't respond to, for example, ARP packets, making it less likely, although not impossible, for other machines on your network to know about its MAC address, and thus making it less likely, although not impossible, that its MAC address would be a destination address.)įor destination MAC addresses, do tshark -r mypcap.pcap -T fields -e eth.dst | sort | uniq -c On the other hand, if there's a machine on your network with that destination address, and it's not bothering to send any packets on the network, it wouldn't show up if you're looking only at source addresses however, that's unlikely to be the case, even if it's not impossible. That's probably the best way to determine what addresses are present on your network a machine on your network could be sending packets to a destination address not on your network (and perhaps that doesn't exist anywhere on Earth or launched from Earth), so the destination addresses may not be what you want. If you want a count of source MAC addresses, without caring about the destination MAC addresses, do tshark -r mypcap.pcap -T fields -e eth.src | sort | uniq -c However, in that case, what sort will be sorting, and uniq will be checking for uniqueness and counting with -c, are pairs of source and destination addresses. ![]() So you should next pipe the output of tshark to sort. Repeated lines in the input will not be detected if they are not adjacent, so it may be necessary to sort the files first. ![]() To quote the uniq man page on my machine: ![]() Which will, for an Ethernet capture, print, for each packet, the source and destination MAC addresses for the packets, with a comma between them. You could, for example, do tshark -r mypcap.pcap -T fields -E separator=, -e eth.src -e eth.dst Wireshark's TShark command-line utility will probably work better, as it allows more control over the output format of packets. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |