[Anthony Critelli <critellia@xxxxxxxxx>]

Chris,

Thanks so much, this worked like a charm!

Final command that I used to sort by BSSIDs and order them by number of frames seen (from high to low):

tshark -n -Y wlan.bssid -T fields -e wlan.bssid -r /wlan/packets_to_sort.pcapng | sort | uniq | sort -rn | less

Sincerely,

Anthony Critelli

B.S. Applied Networking and Systems Administration, 2014

www.acritelli.com

(845) 283-4117

On Fri, Jul 22, 2016 at 4:30 PM, Christopher Maynard <Christopher.Maynard@xxxxxxx> wrote:

Anthony Critelli <critellia@...> writes:

> Anyone have a good way, using either Wireshark or tshark, to get a
>  unique list of BSSIDs from a capture? I've been trying to do "tshark -r
>  capture.pcapng -T fields -e wlan.bssid | uniq" But this isn't working.
> Maybe I'm missing something, but when tshark outputs the BSSIDs, each
> one is different, even when they visibly appear to be the same. Confirmed
this
> with od, and the octal dump of 2 seemingly identical lines (human
readable) are
> different. It also seems to randomly throw empty lines in there. This is
preventing uniq from doing its job.
> Am I misunderstanding the usage of tshark? My understanding of the syntax
above would be that it should just output a list of all the BSSIDs in the
capture, and then I'm just piping it to uniq to filter out duplicates.

Maybe try something like this?

tshark -n -Y wlan.bssid -T fields -e wlan.bssid -r capture.pcapng | sort -u

- Chris



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe