This is our old Q&A Site. Please post any new questions and answers at


I would like to convert tcpdump output into tshark standard decoded output. As you know tcpdump don't summarize gathered data just like tshark does it. That's too bad, because there are so many doubled values in the pcap file: for example:

I would like to have decoded output, similiar to this from t-shark
TSHARK: <-> 276 29298 0 0 276 29298 42.208780000 1755.1373 <-> 0 0 205 22974 205 22974 40.616219000 1746.5140 <-> 199 20184 0 0 199 20184 2.779606000 1784.9520 <-> 198 20412 0 0 198 20412 14.735165000 1781.4088

I've found some information on this site:

It does job well, however i'm having doubled lines, however it's the same connection: 778663 739008

Have you ever managed to do this correctly in Perl?

asked 19 Sep '12, 05:36

cps86's gravatar image

accept rate: 0%

The beauty of writing a script to do some work for you is that you can make it do exactly what YOU want. It is quite easy to extend the script that you are referring to, to make is combine both flows of the TCP session into one output line. I have done so in the past...

Hmmm... looking at the script you are referring to, it should not produce the output you are showing. Did you alter the script to your needs already? You can use a conversation index based on IP addresses and ports, and determine the direction of traffic by swapping the src and dst if the dst port is higher than the src port. Just a suggestion...

permanent link

answered 20 Sep '12, 23:35

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 19 Sep '12, 05:36

question was seen: 8,879 times

last updated: 20 Sep '12, 23:35

p​o​w​e​r​e​d by O​S​Q​A