What is the "tshark" command for to converting the .pcap file to a .csv file? The packet capture data will be monitored using Splunk. asked 16 Apr '12, 01:10  misteryuku |
One Answer:
That depends on which particular fields you want to use in the CSV file. Once you've decided which named fields to put into the CSV file, then you would run a command such as where {the pathname of the capture file} is the pathname of the capture file you're reading and {first field name}, {second field name} and so on are the names of the fields, and {the pathname of the output file} is the pathname of the output file, for example answered 16 Apr '12, 10:55  Guy Harris ♦♦ edited 18 Apr '12, 23:40 |
How do i specify the output csv file pathname into this tshark command above??
I've updated the anser to show that, and gave an example.
What does "this" in "so this applies to a .txt file..." refer to?
The text output of TShark is specified by redirecting its output to a file no matter what type of output is produced.
The
-T fields,-E separator=,, and-eflags applies to a CSV file, which means that each line contains a Comma-Separated list of Values, with NO keys. There IS no option to TShark to make it produce output with key=value pairs.okay i see besides outputting the ip.src and the ip.dst , what is the syntax for outputting the values for no, time, protocol, length and Info field column names from the Wireshark Graphical User Interface??
There are no fields corresponding to the protocol and info columns, so you'd have to do something such as
to have it print out the columns. The output would NOT be comma-separated, and would NOT have key= tags; it would look something like