Solved: group ports by IP

curtgran · ‎04-24-2012

Hi,

I'm hoping this is trivial but I've searched and can't really find the answer.

I'm searching TCP connections and would like to have a list of all the IP addresses and what ports they have used. A sample would look like this:

10.1.1.1 21 22 23 80 8080

I don't care how the ports are grouped but I would like them all on the line with the IP address if possible.

Thanks for any help on this one.

Curt

Ayn · ‎04-24-2012

Not strictly on one line, but each IP along with a list of the port it's used:

... | stats values(dest_port) by src_ip

(assuming your port field is dest_port and the host field is src_ip.)

sowings · ‎04-24-2012

I might try something with stats, e.g. <search> ... | stats list(port) as portlist by ip | table ip, portlist

Ayn · ‎04-24-2012

Not strictly on one line, but each IP along with a list of the port it's used:

... | stats values(dest_port) by src_ip

(assuming your port field is dest_port and the host field is src_ip.)

group ports by IP