This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Covert the .pcap file to a .csv file using tshark

0
1

What is the "tshark" command for to converting the .pcap file to a .csv file? The packet capture data will be monitored using Splunk.

asked 16 Apr '12, 01:10

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
1

That depends on which particular fields you want to use in the CSV file. Once you've decided which named fields to put into the CSV file, then you would run a command such as

tshark -T fields -n -r {the pathname of the capture file} -E separator=, -e {first field name} -e {second field name} ... >{the pathname of the output file}

where {the pathname of the capture file} is the pathname of the capture file you're reading and {first field name}, {second field name} and so on are the names of the fields, and {the pathname of the output file} is the pathname of the output file, for example

tshark -T fields -n -r capture.pcap -E separator=, -e ip.src -e ip.dst ... >output.txt
permanent link

answered 16 Apr '12, 10:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 18 Apr '12, 23:40

How do i specify the output csv file pathname into this tshark command above??

(18 Apr '12, 17:52) misteryuku

I've updated the anser to show that, and gave an example.

(18 Apr '12, 23:41) Guy Harris ♦♦

What does "this" in "so this applies to a .txt file..." refer to?

The text output of TShark is specified by redirecting its output to a file no matter what type of output is produced.

The -T fields, -E separator=,, and -e flags applies to a CSV file, which means that each line contains a Comma-Separated list of Values, with NO keys. There IS no option to TShark to make it produce output with key=value pairs.

(18 Apr '12, 23:56) Guy Harris ♦♦

okay i see besides outputting the ip.src and the ip.dst , what is the syntax for outputting the values for no, time, protocol, length and Info field column names from the Wireshark Graphical User Interface??

(19 Apr '12, 00:05) misteryuku

There are no fields corresponding to the protocol and info columns, so you'd have to do something such as

tshark -n -r {the pathname of the capture file}

to have it print out the columns. The output would NOT be comma-separated, and would NOT have key= tags; it would look something like

1   0.000000 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx TCP 54 5165 > http [SYN] Seq=0 Win=16384 Len=0
2   0.000001 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx TCP 54 14378 > http [SYN] Seq=0 Win=16384 Len=0
3   0.000003 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx TCP 54 31944 > http [SYN] Seq=0 Win=16384 Len=0
(19 Apr '12, 00:30) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×238
×40
×16

question asked: 16 Apr '12, 01:10

question was seen: 17,962 times

last updated: 19 Apr '12, 00:45

Related questions

Help with a tshark cmd

extract from pcap to csv using tshark

Exporting pcap to csv using tshark

Write Gzip Encoded HTTP as Inflated in PCAP File

Possible to somehow mark a packet permanently?

Capturing packet captures live

Tshark how to capture to a file and print text on screen

How to preserve timestamps in tshark output file?

Batch file to read pcap file ? how

how to add data length column in wireshark display or plot payload length vs packet no

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A