This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Generating own expected output form live pcap capture live to a windows txt file

0

This is a tshark command to output packet capture live to a windows txt file.

tshark -i your_interface -V > your _path _to _text _file

This is a tshark command to output the wireshark GUI column data of the pcap to the txt file

tshark -n -r path _ of _ pcap_file > path _ of _ txt _ file

My expected windows txt output :

1 0.000000 164.124.33.78 -> 192.168.0.1 TCP 54 35165 > 80 [SYN] Seq=0 Win=16384 Len=0

2 0.000001 38.198.26.9 -> 192.168.0.1 TCP 54 14378 > 80 [SYN] Seq=0 Win=16384 Len=0

3 0.000003 132.212.36.201 -> 192.168.0.1 TCP 54 31944 > 80 [SYN] Seq=0 Win=16384 Len=0

First Question : How do i know what is the interface to capture the packets live and how to address that in a tshark command as its IP address or its name?

Second Question : I would like to capture the packet data live, generate the above txt output that i expect to a txt file as in "combining the two tshark commands" stated above??

asked 23 Apr '12, 00:30

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

edited 23 Apr '12, 00:35

One Answer:

0

How do i know what is the interface to capture the packets live and how to address that in a tshark command as its IP address or its name?

You can't specify an interface by IP address. If you run tshark -D, it will print the interfaces available; if this is on Windows, the names will not be particularly simple, but there should also be a description given, as well as a number, and you can (whether on Windows or not) use the number as an argument to -i. ipconfig/all on Windows, and ifconfig -a on most UN*Xes, should list the IP addresses assigned to various interfaces, which should let you figure out which interface to use.

I would like to capture the packet data live, generate the above txt output that i expect to a txt file as in "combining the two tshark commands" stated above??

You combine the two commands by taking the first command, removing -V, and adding -n, so that it prints column data rather than a full dissection of the packets, and doesn't try to translate IP addresses to host names:

tshark -i your_interface -n > your _path _to _text _file

answered 23 Apr '12, 01:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

The description capture interface that i use to capture live packets on Windows is Intel(R)Gigabit network connection when i ran tshark -D

is something like this:

DeviceNPF_{97DEDE1D-222F-4F9B-8A5C-C4BFF6C3904C} (Intel(R)Gigabit network connection)

I ran the command like this : tshark -i DeviceNPF_{97DEDE1D-222F-4F9B-8A5C-C4BFF6C3904C} (Intel(R)Gigabit network connection) -n > "C:\Users\L33604\Desktop\capture.txt"

then windows cmd CLI threw the error message :

Please check that DeviceNPF_{97DEDE1D-222F-4F9B-8A5C-C4BFF6C3904C} is the correct interface. What is wrong here??

(23 Apr '12, 01:37) misteryuku

You need to use the number associated with each interface, e.g. if tshark -D gives you this:

1. DeviceNPF_{AA1F8321-8EB5-4B77-A0E9-D4B359711C2B} (Microsoft) 2. DeviceNPF_{C2E403B5-FAD0-479C-96FD-0E44EB22CD74} (Intel(R) 82579LM Gigabit Network Connection) 3. DeviceNPF_{6EB43EB8-D680-4363-B6BA-E3373CC7ACF7} (Microsoft)

then use -i 2 to select the Gigabit connection.

(23 Apr '12, 04:39) grahamb ♦