This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Generating own expected output form live pcap capture live to a windows txt file

0

This is a tshark command to output packet capture live to a windows txt file.

tshark -i your_interface -V > your _path _to _text _file

This is a tshark command to output the wireshark GUI column data of the pcap to the txt file

tshark -n -r path _ of _ pcap_file > path _ of _ txt _ file

My expected windows txt output :

1 0.000000 164.124.33.78 -> 192.168.0.1 TCP 54 35165 > 80 [SYN] Seq=0 Win=16384 Len=0

2 0.000001 38.198.26.9 -> 192.168.0.1 TCP 54 14378 > 80 [SYN] Seq=0 Win=16384 Len=0

3 0.000003 132.212.36.201 -> 192.168.0.1 TCP 54 31944 > 80 [SYN] Seq=0 Win=16384 Len=0

First Question : How do i know what is the interface to capture the packets live and how to address that in a tshark command as its IP address or its name?

Second Question : I would like to capture the packet data live, generate the above txt output that i expect to a txt file as in "combining the two tshark commands" stated above??

asked 23 Apr '12, 00:30

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

edited 23 Apr '12, 00:35

One Answer:
active answersoldest answersnewest answerspopular answers
0

How do i know what is the interface to capture the packets live and how to address that in a tshark command as its IP address or its name?

You can't specify an interface by IP address. If you run tshark -D, it will print the interfaces available; if this is on Windows, the names will not be particularly simple, but there should also be a description given, as well as a number, and you can (whether on Windows or not) use the number as an argument to -i. ipconfig/all on Windows, and ifconfig -a on most UN*Xes, should list the IP addresses assigned to various interfaces, which should let you figure out which interface to use.

I would like to capture the packet data live, generate the above txt output that i expect to a txt file as in "combining the two tshark commands" stated above??

You combine the two commands by taking the first command, removing -V, and adding -n, so that it prints column data rather than a full dissection of the packets, and doesn't try to translate IP addresses to host names:

tshark -i your_interface -n > your _path _to _text _file
permanent link

answered 23 Apr '12, 01:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

The description capture interface that i use to capture live packets on Windows is Intel(R)Gigabit network connection when i ran tshark -D

is something like this:

DeviceNPF_{97DEDE1D-222F-4F9B-8A5C-C4BFF6C3904C} (Intel(R)Gigabit network connection)

I ran the command like this : tshark -i DeviceNPF_{97DEDE1D-222F-4F9B-8A5C-C4BFF6C3904C} (Intel(R)Gigabit network connection) -n > "C:\Users\L33604\Desktop\capture.txt"

then windows cmd CLI threw the error message :

Please check that DeviceNPF_{97DEDE1D-222F-4F9B-8A5C-C4BFF6C3904C} is the correct interface. What is wrong here??

(23 Apr '12, 01:37) misteryuku

You need to use the number associated with each interface, e.g. if tshark -D gives you this:

1. DeviceNPF_{AA1F8321-8EB5-4B77-A0E9-D4B359711C2B} (Microsoft) 2. DeviceNPF_{C2E403B5-FAD0-479C-96FD-0E44EB22CD74} (Intel(R) 82579LM Gigabit Network Connection) 3. DeviceNPF_{6EB43EB8-D680-4363-B6BA-E3373CC7ACF7} (Microsoft)

then use -i 2 to select the Gigabit connection.

(23 Apr '12, 04:39) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×15
×9

question asked: 23 Apr '12, 00:30

question was seen: 3,335 times

last updated: 23 Apr '12, 04:39

Related questions

Help with a tshark cmd

Converting a wireshark pcap file to a windows txt file that contains field=value data.

Can tshark display textual HTTP content during capture?

Rolling packet data capture using tshark live.

Throughput calculation

Can I filter out frames without renumbering the frames?

tshark can't get the ip.src when capture packets on wlan

how to read the icmpv6 flags for router advertisement

What is the filter to extract TCP packets? (in wireshark)

How to enable LUA in wireshark ?

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A