This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Converting multiple pcap files to csv

0

I already found a post that does this, but in windows, and I'd like to make the same for linux, but I'm kind of a newbie when it comes to the shell environment. I'd like it to work on .gz files, more than .cap files, as the windows topic suggests.

Could someone hint me on how to do this?

http://ask.wireshark.org/questions/12799/how-to-convert-multiple-pcap-files-to-csv

That is the windows topic for it.

asked 02 Jan '14, 19:14

twolf's gravatar image

twolf
1113
accept rate: 0%

edited 03 Jan '14, 05:21

One Answer:

2

Although this is not exactly a Wireshark question, I'm going to answer it, as I answered the other questions as well.

So, here we go.

#!/bin/bash

please change the path names if necessary


cap_files='/tmp/*.pcap.gz'


outfile='/tmp/outfile.csv'
tmpfile='/tmp/tmp_file.pcap'


tshark_cmd='tshark'
tshark_options='-n -T fields -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e tcp.analysis.ack_rtt'


for file in $cap_files
do
echo "processing file: $file"
gunzip -c $file > $tmpfile
echo "== File:  $file"  >> $outfile
$tshark_cmd -r $tmpfile $tshark_options >> $outfile
done
rm $tmpfile


echo "Results in: $outfile … Cheers Kurt"

This is just a small (working) example. Please modify it to your needs. However if you need further help with shell scripting, I suggest to ask the people at http://stackoverflow.com/ or http://superuser.com/

Regards
Kurt

answered 09 Jan ‘14, 09:40

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%