Firmware: 10790+
If at any time there is a need to determine a list of unique IP addresses in a PCAP (or MAC addresses, or TCP/UDP ports, or VLAN tags, or packet payload lengths, or distinct protocol layers) and/or the number of times they occur in that PCAP, Fmad provides the custom “ProtoScope” tool and its sister utility JSON2Histo. A basic example which emits a histogram for source IP addresses is as follows:
cat my_packets.pcap | protoscope --ip.src=only | json2histo IPv4Src
# Or use stream_cat:
sudo stream_cat my_packets | protoscope --ip.src=only | json2histo IPv4SrcThe result will appear similarly to the following:
IPv4Src (17340)
131.239.94.34 17340 (0.173): ****************************************************************************************************
38.142.52.218 13093 (0.304): ***************************************************************************
172.20.164.5 7859 (0.383): *********************************************
...omitted for brevity...
10.17.21.77 3 (0.996):
10.89.120.100 2 (0.998):
10.17.20.212 1 (1.000):It may also be informative to demonstrate the effect of cutting out JSON2Histo and showing the ProtoScope output itself, since that has its own applications. Consider the example command below:
cat my_packets.pcap | protoscope --ip.src=onlyThe result will appear similarly to the following, albeit minified (i.e. without whitespace):
{
"IPv4Src": {
"131.239.94.34": 17340,
"38.142.52.218": 13093,
"172.20.164.5": 7859,
...
"10.17.21.77": 3,
"10.89.120.100": 2,
"10.17.20.212": 1,
},
"IPv6Src": {}
}One can then post-process the result with jq to add whitespace (a.k.a. "prettify”), filter out unwanted information, change the sorting order, et cetera. For more information on ProtoScope’s capabilities: run protoscope --help in your shell. Also see json2histo --help.