IP statistics from PCAP files
Written by Markus Thilo GPL-3
Runs through PCAP files and statistically analyzes IP packets. Other packets are ignored. Adresses, ports (on -g), oldest timestamp, youngest timestamp (first seen / last seen), the quantity of packets and the sum of the packet volumes (as given in PCAP files as orig_len) are listed.
This software might not work with all variants of PCAP files. Ethernet link layer should work. PCAPNG is not supported.
The programm uses C standard libraries only. It uses one thread but should run fast compared to complex analysis tools with tons of options. The pure C and code has under 1000 lines.
All you need is in the source file: iprunner.c:
gcc -o iprunner iprunner.c
(or use make)
Help / show options:
./pcaprunner -h (to get the Options)
Options:
-c Do not print headlines for the columns (fields).
-r Print timestamps and traffic volumes in human readable format. The time stamps are taken from the PCAP files without any validation or adjustment.
-i Invert sort output data (from small to large).
-n Sort by number of packets instead of transfered bytes.
- Sum up all traffic regardless the transport layer and create a shorter list. This is ignored on -g (grep).
-g Grep (filter) for one or two IP addresses.
-w FILE Write to CSV/TSV file.
Patterns:
ADDRESSSum packets if source or destination address matches.ADDRESS-ADDRESSSum packets if one address is source and one is the destination.
Compression of IPv6 addresses removing colons does not work.
./iprunner -r -w out.tsv dump1.pcap dump2.pcap dump3.pcap
./iprunner -g ff02:::::::fb dump.pcap
./iprunner -g 192.168.1.7-216.58.207.78 -w out.tsv dump.pcap
Use this piece of software on your own risk. Accuracy is not garanteed.
Report bugs to: markus.thilo@gmail.com
Project page: https://github.com/markusthilo/iprunner