Reputation: 1
How can i extract only the destination ports from a TCPDUMP file
i currently have a script in bash that extract the destination IPs and ports only from the Host IP ( me ) I need to sort the destination Ports in a separate File.
the command i use now for making the capture:
tcpdump -G 15 -W 1 -w myscript15s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
Does anyone what command can i use to put in a separate document only the destination ports? I found you can only sort IPs but maybe i didn't search throughly enough :(
Packet capture script
Packet capture output
// Script for making the capture
#!/bin/bash
clear
echo "Select your capture option: "
read capture
echo "You selected $catpure"
echo
if [ $capture == "Option1" ];
then
echo
tcpdump -G 15 -W 1 -w myscript15s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
tcpdump -ttttnnr myscript15s
cp myscript15s captura
elif [ $capture == "Option2" ]
then
echo
tcpdump -G 600 -W 1 -w myscript600s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
else
echo "Incorect option .."
fi
echo
echo "The end"
echo
/// output - placed only first 2 lines to get the ideea
2018-06-26 15:42:21.261263 IP 10.0.2.15.54178 > 10.18.0.22.53:19272 [1au] A? detectportal.firefox.com.(53)
2018-06-26 15:42:21.261418 IP 10.0.2.15.51118 > 10.18.0.22.53:31437+ [1au] AAAA? detectportal.firefox.com.(53)
Upvotes: 0
Views: 2787
Answers (1)
Reputation: 11
One way that could achieve this would be using tshark to read the capture while applying display filters, sorting as needed then writing the output to a file:
tshark -r your_capture_file.pcap -T fields -e udp.dstport -e tcp.dstport | sort | uniq > results.txt
If you wish to also include the protocol name in your results you can add it in the filter as well:
tshark -r your_capture_file.pcap -T fields -e _ws.col.Protocol -e udp.dstport -e tcp.dstport | sort | uniq > results.txt
Note that using the above method will take care of everything in a single command however the output resulted will contain blank UDP port columns for TCP traffic and blank TCP port columns for UDP traffic which may pose an issue.
In order to avoid this, you can simply run the command twice, once per protocol:
TCP
tshark -r your_capture_file.pcap -T fields -e tcp.dstport | sort | uniq > results.txt
UDP
tshark -r your_capture_file.pcap -T fields -e udp.dstport | sort | uniq >> results.txt
Take note that the second run should use the >> operator instead of the > one to append data to the results file.
Upvotes: 1
Related Questions
- Awk: extracting ports from nmap output
- tcpdump - resolve IP and skip resolving ports
- How to extract port from IP:PORT after a specific string?
- tcpdump get unique IPs requesting on specific port
- Filter netstat output to get specific ports in bash
- Extracting just the open port numbers from netstat output
- need an awk/sed/cut alternative for an simple looking issue on tcpdump output
- TCPDump output with no time stamps and IP and ports only
- pipe tcpdump output to grep multiline pattern
- tcpdump: Output only source and destination addresses