This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Exporting pcap to csv using tshark

0

I have a sample pcap file and i opened it as a wireshark GUI. On the wireshark GUI,i click file -> Export. I export it as a CSV file.

I would like the output csv file output using tshark AS IF i export the pcap data to the csv file using Wireshark GUI. what is the TSHARK command for EXPORTING pcap sample file to a csv file?

I want the csv file output to look like this when viewed in windows 7 .txt file:

"No.","Time","Source","Destination","Protocol","Length","Info" "1","0.000000","164.124.33.78","192.168.0.1","TCP","54","35165 > http [SYN] Seq=0 Win=16384 Len=0" "2","0.000001","38.198.26.9","192.168.0.1","TCP","54","14378 > http [SYN] Seq=0 Win=16384 Len=0" "3","0.000003","132.212.36.201","192.168.0.1","TCP","54","31944 > http [SYN] Seq=0 Win=16384 Len=0" "4","0.000005","76.196.6.157","192.168.0.1","TCP","54","10404 > http [RST] Seq=1 Win=0 Len=0" "5","0.000057","189.109.37.180","192.168.0.1","TCP","54","36076 > http [SYN] Seq=0 Win=16384 Len=0" "6","0.000059","189.109.37.188","192.168.0.1","TCP","54","36084 > http [SYN] Seq=0 Win=16384 Len=0" "7","0.000060","76.196.12.251","192.168.0.1","TCP","54","12034 > http [SYN] Seq=0 Win=16384 Len=0" "8","0.000062","132.212.36.146","192.168.0.1","TCP","54","31889 > http [SYN] Seq=0 Win=16384 Len=0"

asked 19 Apr '12, 02:15

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

edited 19 Apr '12, 02:48


One Answer:

1

Misteryuku, please stop opening new questions again and again for the same questions you asked before -> this is the 3rd or 4th question with the same topic, so if you don't agree with the Q&A rules further questions like this will be closed !

One last time: Like already mentioned in your other question's answer http://ask.wireshark.org/questions/10256/converting-a-wireshark-pcap-file-to-a-windows-txt-file-that-contains-fieldvalue-data there is no easy way of doing a .csv export via tshark in a way like available through wireshark's GUI as far as the tshark -h options are concerned.

You might however try to do a tshark -r <filename.pcap> > output.txt and then use whitespace as a separator (which will not work with the info coloumn of course) or follow the Tfields approach by specifying specific fields to export together with -E separator=, for example.

answered 19 Apr '12, 03:40

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 19 Apr '12, 03:45

Okay i understand. I'm sorry about it. I should been clearer about what i should be asking. This will be the last time i would be asking this question.

(19 Apr '12, 06:31) misteryuku