If you have a pcap file from which you would like to extract all the network traffic associated with a given IP address, i.e., all packets sent to/from this IP address, you can use tcpdump to do the job:
tcpdump -r <in-file.pcap> -w <out-file.pcap> host <ip-address>
This command will read a pcap file called in-file.pcap as a packet stream and write all packets sent to/from the given IP address to an output pcap file out-file.pcap.
If all you want to do is visualize the host traffic on a terminal, just omit the -w <out-file.pcap> part. In this case, tcpdump will automatically convert IP addresses, port numbers, etc. to more human-readable values such as hostnames, "ssh" instead of 22 for the port number etc. You can disable this by adding -n to the end of the command.
As a side note, tcpdump will automatically determine a mapping between IP addresses and MAC addresses, so even traffic associated with the given host which is not IP traffic (e.g. ARP and other layer 2 protocols) may be extracted as well since tcpdump will be able to determine that those packets were sent/received by this host. If you really wish to have only IP traffic on the output, then use the following command:
tcpdump ip -r <in-file.pcap> -w <out-file.pcap> host <ip-address>
to extract only IPv4 traffic, and:
tcpdump ip6 -r <in-file.pcap> -w <out-file.pcap> host <ip-address>
to extract only IPv6 traffic.
Comments
No comments posted yet.