This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to export packet summary to text file?

1

I have a capture of HTTP traffic that I need to extract values of Info field from. If I right click on each packet, select Copy -> Summary (Text) and then paste it in notepad I would eventually get all the values, but it would take me hours to do. Is there a quicker way to do it? None of the exports I tried worked for me.

Thanks

asked 12 Oct '13, 08:11

net_tech's gravatar image

net_tech
116303337
accept rate: 13%

edited 12 Oct '13, 10:30

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


One Answer:

2

If you you really want all the information from the Info column, then you are probably better off using tshark for this. Something like:

tshark -r file.pcap -P -Y "http" -o gui.column.format:'"Info", "%i"' > http_info.txt

Otherwise, if you're just looking for specific http fields from specific http packets, then you might want to just extract those specific fields of interest. A hypothetical example:

tshark -r file.pcap -Y "http.request.method == GET" -T fields -e frame.number -e http.request.uri -e http.user_agent ...

UPDATE

I believe I made a mistake above in thinking that you only wanted the Info column, but I think you are interested in all columns, so all you really should need to do is to run tshark as follows (substituting "http" for whatever filter is desirable for you):

tshark -r file.pcap -P -Y "http" > http_summary.txt

This will get you all of the columns that Wireshark is currently configured to display.

answered 12 Oct '13, 10:21

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 12 Oct '13, 10:30

cmaynard,

tshark -r file.pcap -P -Y "http" > http_summary.txt is exactly what I was looking for! Thanks for your help.

(12 Oct '13, 11:41) net_tech

I should have also mentioned that you can accomplish the same thing just as easily with Wireshark using File -> Export Packet Dissections -> as "Plain Text" file..., and then just be sure to select "Packet summary line" and deselect all other options in the "Packet Format" grouping.

My initial misinterpretation of the question led me to direct you to use tshark, which is why I forgot to mention the Wireshark method, but as you can see, you can accomplish this with either Wireshark or tshark.

(14 Oct '13, 18:25) cmaynard ♦♦