This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use TShark to write Protocol like the column in Wireshark

Hi.

I need to process pcap files and extract data into csv files, including the protocol name. If I do this via Wireshark, the Protocol column is exactly what I need. However, it's very inconvenient to manually open files and export them. I've tried using TShark and it's great, but the closest thing I've found to the Protoocl is frame.protocols. I don't mind the extra data, but in several files I've tried to open this does not display the needed information. Sometimes I get eth:ip:tcp:data while Wireshark's protocol column will display the protocol name accurately.

Anything I'm missing?

Thanks.

pcap protocol tshark wireshark

asked 31 Jul '13, 09:51

vadgros
36●2●4●5
accept rate: 0%

2 Answers:

3	Use `-e col.Protocol`. The col prefix is short for column, then the column name with the same case as is shown in Wireshark. answered 31 Jul '13, 10:07 grahamb ♦ 19.8k●3●30●206 accept rate: 22% Great. Thanks a lot. (31 Jul '13, 10:22) vadgros

As of the 1.11.x and 1.12 versions of tshark, the field names are "_ws.col.Protocol" and "_ws.col.Info", instead of "col.Protocol" and "col.Info".

Example:

tshark -T fields -e _ws.col.Protocol -e _ws.col.Info

Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10201

answered 19 Jun '14, 16:58

CraigGarrett
86●1●3
accept rate: 0%

edited 20 Jun '14, 10:21