This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TShark: Display Filter and Statistics

0

Hello all,

I am running CentOS v5.8 64bit. What is the correct display filter options to use in TShark if I want to redirect the output as CSV from reading a PCAP file? The columns will have the following output separated by commas:

timestamp,ip.src,source-port,ip.dst,destination-port,transport-layer-protocol,upload-bandwidth,download-bandwidth

Where:

  • timestamp = the actual time of a packet
  • ip.src = the source IP address
  • source-port = the source port
  • ip.dst = the destination IP address
  • destination-port = the destination port
  • transport-layer-protocol = be it in TCP, UDP, SCTP, etc.
  • upload-bandwidth = the upload bandwidth in bytes
  • download-bandwidth = the download bandwidth in bytes

My current tshark syntax is:

# tshark -n -r file.pcap -T fields -E separator=',' -e ip.src -e ip.dst

As you can see, I still don't know what are the other display filters to use in order to achieve my requirement. I hope anyone from this community can help me.

Below is the screenshot from WireShark in customizing the display filter columns to which I would like to achieve in a single tshark command.

Customizing Display Filter Columns

Lastly, is there a way to get the statistics of the total upload bandwidth and the total download bandwidth by source IP address group by destination IP address, destination port or transport layer protocol as part of the TShark option?

Thank you in advance.

asked 26 Aug '12, 19:37

bintut's gravatar image

bintut
1223
accept rate: 0%

edited 29 Aug '12, 02:55

I found the preferences file from my WireShark in my MS Windows 7 desktop and tried to execute the command in my CentOS v5.8 machine and I got an error:

# tshark -n -i eth0 -o column.format:""Time","%Cus:frame.time:0:R","Source IP Address","%us","Source Port","%uS","Destination IP Address","%ud","Destination Port","%uD","Protocol","%p","Packet Size","%L""

tshark: Invalid -o flag "column.format:Time,%Cus:frame.time:0:R,Source"

(29 Aug '12, 03:27) bintut

Now, the below command partially works for what I need:

# tshark -r file.pcap -o column.format:"Time","%Cus:frame.time","Source IP Address","%us","Source Port","%uS","Destination IP Address","%ud","Destination Port","%uD","Protocol","%p","Packet Size","%L"

Now, how can I change the spaces/tabs into a comma? If I try to add the options:

-T fields -E separator=','

I am getting an error message:

tshark: "-Tfields" was specified, but no fields were specified with "-e".

(29 Aug '12, 15:19) bintut

One Answer:

0

To find a filterfield name, open a capture file in Wireshark, select the required node in the packet tree, e.g. tcp and then select the field required, e.g. the source port. The filterfield name will be shown in the status bar at the bottom (tcp.srcport in this instance).

answered 27 Aug '12, 00:42

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 29 Aug '12, 03:26

But in WireShark, you can specify the column names when you go to the "Edit > Preferences > User Interface > Columns" as generic as shown in my screenshot above specially on the source port and destination port regardless of transport layer protocol. So, how am I able to execute a single tshark command from the CLI in order to achieve the CSV format that I want?

(29 Aug '12, 02:56) bintut

When I mentioned "filter name" in my answer I really meant field name.

In the editor for the columns there is a field "Field name:", in your example "frame.time_epoch". This is the value you use in the tshark command line with the -e command, e.g. -e frame.time_epoch.

(29 Aug '12, 03:22) grahamb ♦

I cannot get the source port and destination port in just one tshark command regardless of the transport layer protocol. In WireShark having the configuration I mentioned above, it can display the source port number and destination port number regardless if it's TCP, UDP, SCTP, etc. What I know for now in tshark is the "-e tcp.srcport" or "-e udp.srcport" but not without having only like "-e srcport".

(29 Aug '12, 03:41) bintut