But one thing is that tcp|udp must appear before src|dst. But if we want the source port or the destination port and TCP or UDP packets, then we must specify the keywords’ src|dst and tcp|udp before the primitive. This primitive helps us to apply filters on TCP and UDP port numbers. If our network number is different, then we can manually select the netmask or the CIDR prefix for the network. But if we want the source network or the destination network, then we must specify src|dst before the primitive. This primitive helps us to apply filters on network numbers. This primitive helps us to apply filters on packets that used the host as a gateway. But if we require the source address or destination address, then we must specify src|dst between the keywords ether and host. This primitive helps us to apply filters on Ethernet host addresses.
For example, if you append this to that command line: |sort -n |uniq -c |sort -n Under Linux (which is what I use), you can easily pipe the output of that into various other utility programs. If you'd prefer to eliminate the non-IPv4 packets, just add a filter: tshark -r -2 -Tfields -R ip -eip.src -eip.dst -eframe.protocols With that command line, you'll get exactly those fields, but be aware that some lines, such as those with ARP packets, won't have IP addresses (because they're not IP packets), and that IPv6 packets won't show IP addresses because those field names ( ip.src and ip.dst) are only for IPv4. So with that approach in mind, you could use this: tshark -r -2 -Tfields -eip.src -eip.dst -eframe.protocols When I've done that sort of thing before, I typically use tshark to extract the data and then other tools (Python, Perl, awk, etc.) to further refine the resulting data.
0 kommentar(er)
