When I've done that sort of thing before, I typically use tshark
to extract the data and then other tools (Python, Perl, awk, etc.) to further refine the resulting data. So with that approach in mind, you could use this:
tshark -r mysample.pcapng.gz -2 -Tfields -eip.src -eip.dst -eframe.protocols
With that command line, you'll get exactly those fields, but be aware that some lines, such as those with ARP packets, won't have IP addresses (because they're not IP packets), and that IPv6 packets won't show IP addresses because those field names (ip.src
and ip.dst
) are only for IPv4. Here's sample output from a capture file I happened to have handy:
10.68.40.152 224.0.0.252 eth:ethertype:ip:udp:dns
10.68.40.119 255.255.255.255 eth:ethertype:ip:udp:db-lsp-disc
10.68.40.119 10.68.41.255 eth:ethertype:ip:udp:db-lsp-disc
eth:ethertype:arp
10.68.40.152 224.0.0.252 eth:ethertype:ip:udp:dns
10.68.40.65 10.68.41.255 eth:ethertype:ip:udp:nbns
eth:ethertype:ipv6:ipv6.nxt:udp:dns
eth:ethertype:ipv6:ipv6.nxt:udp:dns
If you'd prefer to eliminate the non-IPv4 packets, just add a filter:
tshark -r mysample.pcapng.gz -2 -Tfields -R ip -eip.src -eip.dst -eframe.protocols
Under Linux (which is what I use), you can easily pipe the output of that into various other utility programs. For example, if you append this to that command line:
|sort -n |uniq -c |sort -n
You'll get list, in ascending order of frequency, of each unique src, dst and proto combination present within your sample file.