Find the top 5 (according to number of packets sent) source IP addresses

Question

I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses.

I have come up with the below command:

$ tshark -r assign1.pcap | sort -n -7 | tail -n 5 | awk '{print $3}'

where

• tshark -r reads the pcap file
• assign.pcap is the packet capture file
• sort -n -7 sorts the file based on column 7 (this column has length of package for each ip address)
• tail -n 5 print the last 5 records that has the highest length for packet
• awk '{print $3} prints only the third column.

Now here is my problem since I need unique top 5 source ip addresses, so I tried to pipe uniq command in the end of script but doesn't help. I also tried to use sort -u -t, -k3,3 from this link but this also doesn't print unique ip addresses!

My pcap file column header look like this:

   

Answer 1

I think if you reorganize the output from tshark using -T fields it's much easier. I was able to accomplish what you want like so:

$ tshark -r blah.pcap -T fields -e frame.len -e ip.src | sort -k 1n | tail -5
92  10.0.2.2
92  10.0.2.2
92  10.0.2.2
100 10.0.2.15
156 10.0.2.15

tshark fields

You can use this command to get a list of all the fields:

$ tshark -G field

But I found that a bit difficult to read. If you want to understand the columns in the -G field output, they're described here: tshark - Dump and analyze network traffic:

 * Header Fields
 * -------------
 * Field 1 = 'F'
 * Field 2 = descriptive field name
 * Field 3 = field abbreviation
 * Field 4 = type (textual representation of the ftenum type)
 * Field 5 = parent protocol abbreviation
 * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
 * Field 7 = bitmask: format: hex: 0x....
 * Field 8 = blurb describing field

You can use this grep to filter the output if you're brave:

$ tshark -G fields | grep -P '\s+(ip.src|frame.len)\s+'
F   Frame length on the wire    frame.len   FT_UINT32   frame   BASE_DEC    0x0
F   Source  ip.src  FT_IPv4 ip      0x0

References

• enter link description here
• tshark tutorial and filter examples
• Counting IP occurrences in PCAP file using tshark
• Specific IP address display filter using tshark

Answer 2

So after getting a hint from this answer, I came up with this script:

$ tshark -r assign1.pcap | sort -n -r -k7 | awk '!seen[$3]++' | awk '{print $3}' | head -n 5 >> result.txt

Explaining each command in the line:

• tshark -r assign1.pcap read the pcap file
• sort -n -r -k7 numeric sort (-n) the file based on (-r) reverse order of (-k7) column 7 [ this column has length of package for each ip address ]
• awk '!seen[$3]++' print source ip address (3rd column) that has not been seen before, so this way it prints only unique IPs
• awk '{print $3}' only print the 3rd column (source ip address)
• head -n 5 >> result.txt since I need the top 5, so I limited my results to only 5 by using the head command, also last >> result.txt appends the terminal result to text file.