This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use TShark to write Protocol like the column in Wireshark

1
1

Hi.

I need to process pcap files and extract data into csv files, including the protocol name. If I do this via Wireshark, the Protocol column is exactly what I need. However, it's very inconvenient to manually open files and export them. I've tried using TShark and it's great, but the closest thing I've found to the Protoocl is frame.protocols. I don't mind the extra data, but in several files I've tried to open this does not display the needed information. Sometimes I get eth:ip:tcp:data while Wireshark's protocol column will display the protocol name accurately.

Anything I'm missing?

Thanks.

asked 31 Jul '13, 09:51

vadgros's gravatar image

vadgros
36245
accept rate: 0%


2 Answers:

3

Use -e col.Protocol. The col prefix is short for column, then the column name with the same case as is shown in Wireshark.

answered 31 Jul '13, 10:07

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Great. Thanks a lot.

(31 Jul '13, 10:22) vadgros

1

As of the 1.11.x and 1.12 versions of tshark, the field names are "_ws.col.Protocol" and "_ws.col.Info", instead of "col.Protocol" and "col.Info".

Example:

tshark -T fields -e _ws.col.Protocol -e _ws.col.Info

Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10201

answered 19 Jun '14, 16:58

CraigGarrett's gravatar image

CraigGarrett
8613
accept rate: 0%

edited 20 Jun '14, 10:21