This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extracting specific information column wise

0

Hi i have a wire shark capture, in which there are specific information in each packet which i can see after decoding it as RTP. now i need those data into a csv file for further investigations. what is the procedure for getting those data in csv format.

asked 29 May '13, 02:34

pranav%20s's gravatar image

pranav s
11112
accept rate: 0%

2 Answers:

1

If I understand the question correctly, one approach might be to add the field of interest as a displayed column, and then export the dissected packets.

One way you can add any field as a column, is by finding the field in the packet details pane, right click it, and then select "Apply as column". Another, harder, way to do it is to select Edit | Preferences | Columns and make changes to the displayed columns from there.

You can export all the displayed columns, for specific trace records or for all records, by selecting File | Export Packet Dissections | and then select the export format you prefer (.csv, .txt, etc)

answered 30 May '13, 21:51

griff's gravatar image

griff
36139
accept rate: 10%

You, sir, just saved me a ton of manual work. Have some points.

(31 May '13, 00:24) spoorzoeker

the type of data i am talking about is bit rate of video, in a single packet its shows latest and last 3 bit rate (as history). so in total there are 4 data with same name "Current Bit rate = a (b,c,d)" so when applying as column, the column shows 4 bit rate as a,b,c,d but i need only one in that column (the latest one)

(31 May '13, 02:13) pranav s

Then you can use the "occurrence" value. Pick 0 for all values, 1 for the first, 2 for the second etc. Or use -1 to always pick the last one regardless of how many values there are.

(31 May '13, 02:21) SYN-bit ♦♦

1

One other way (especially if you need to do this on multiple files or multiple times) is to use tshark. You can use the following syntax:

tshark -r <file> -d udp.port==<port>,rtp -T fields -e ip.src -e ip.dst -e <field3> -e <field4>

You can change the header, separator etc, see tshark -h:

  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values

answered 31 May '13, 01:06

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

For field I can add any of the fields given in the list under Preferences | Column? Is this list exhaustive or are there more options I can find in a help function in the man pages somewhere but have not yet uncovered?

(31 May '13, 01:14) spoorzoeker

For "field" you can use any filterable field, click on the specific field of interest in the packet details pane and you will see the field name in the status bar (you might need to enlarge the left section). You can also use "rightclick -> copy -> fieldname" (or SHIFT-CTRL-F) to get the fieldname.

(31 May '13, 01:19) SYN-bit ♦♦