当我使用以下命令分析file.pcap时
tshark -r file.pcap -T fields -E Separator=' ' -e ip.src -e ip.len
我得到了这样的结果
IP ADDRESS BYTES
---------------------
ip address 1 25
ip address 2 56
ip address 1 78
ip address 3 100
我想要的结果
IP ADDRESS TOTAL AMOUNT OF BYTES
---------------------------------------------------------
ip address 1 whole amount of byte sent by ip address 1
ip address 2 whole amount of byte sent by ip address 2
ip address 3 whole amount of byte sent by ip address 3
有什么办法可以产生这个结果? 我的示例pcap文件行数超过5,400,000,这就是为什么我需要一个命令的原因。
答案 0 :(得分:0)
我用过命令,
tshark -r file.pcap -g -z enpoints,ip > output.dat
然后
cat output.dat
此结果
Ip address -> Total packets, Total bytes, sent packets, sent bytes, received packets, received bytes
然后在命令后执行命令以获取前10个IP地址,
cat output.dat | sort -k 3,3nr | head -10
通过此命令,它按降序对第3列进行排序,以便我们可以获取输入和输出数据最多的前十个IP地址。