This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to convert multiple .pcap files to .csv

0

Hi,

I would like to know if it is possible to convert multiple wireshark capture files to csv files. For example there are 3 files in a folder, is there any way to convert all three with a command or does anyone know a way to do this? Any help is appreciated.

I am using a tshark command to convert one file at a time,instead of test.pcap and test.csv i tried using variables as well with wildcard characters.

tshark -T fields -n -r "C:\test.pcap" -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e tcp.analysis.ack_rtt >> "C:\test.csv"

I've also tried using a for command but im running into errors with syntax. This is the full script im working with.

set outfile=*.csv
set infile=*.pcap

cd C:\Program Files\Wireshark

for /f %%f in ('dir /b C:\testfolder') do tshark -T fields -n -r "C:\testfolder%infile%" -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e tcp.analysis.ack_rtt >> "C:\testfolder%outfile%" %%f

Thank you in advance.

asked 17 Jul ‘12, 06:53

nyc's gravatar image

nyc
0235
accept rate: 0%

edited 17 Jul ‘12, 12:04

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


One Answer:

3

Please try this:

@echo off

set cap_files="*.cap" set cap_folder="c:\testfolder"

set outfile=c:\testfolder\outfile.txt

set tshark_cmd="c:\Program Files\Wireshark\tshark" set tshark_options=-n -T fields -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e tcp.analysis.ack_rtt

echo. > %outfile%

for /r %cap_folder% %%f in (%cap_files%) do ( echo Processing File: %%f

REM echo == File:  %%f >> %outfile%
%tshark_cmd%  -r %%f %tshark_options% >> %outfile%

)

echo. echo Results in: %outfile% … Cheers Kurt

Sample output:

C:\testfolder> loop.cmd
Processing File: c:\testfolder\input_1.cap
Processing File: c:\testfolder\input_2.cap

Results in: c:\testfolder\outfile.txt … Cheers Kurt

Regards
Kurt

answered 17 Jul ‘12, 11:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Jul ‘12, 11:57

Hi Kurt,

This worked perfectly for what I was trying to do, Thank you. Im going to tweak it to see if I am able to get seperate output files for each capture file.

Thanks again for your help.

(17 Jul ‘12, 12:25) nyc

good luck!

(17 Jul ‘12, 12:29) Kurt Knochner ♦

Will above command able to include Payload information in the txt file?

(06 Feb ‘13, 23:15) Lim Gordon
1

If you adjust the tshark options and depending on the type of payload you are interested: Yes.

(07 Feb ‘13, 04:20) Kurt Knochner ♦

Kurt, can you give me example of tshark option to include payload?

(13 Feb ‘13, 08:32) Lim Gordon
1
  • What payload are you interested in? TCP, UDP, HTTP, SMTP?
  • Can you describe in which format you need the payload (ASCII, HEX, RAW)
  • Can you describe how you want to process the payload data or what you are looking for?
(13 Feb ‘13, 08:38) Kurt Knochner ♦

• What payload are you interested in? << TCP. • Can you describe in which format you need the payload. << RAW. • Can you describe how you want to process the payload data or what you are looking for? << Still exploring and play around data.

(21 Feb ‘13, 08:12) Lim Gordon
showing 5 of 7 show 2 more comments