Converting multiple pcap files to csv

Question

I already found a post that does this, but in windows, and I'd like to make the same for linux, but I'm kind of a newbie when it comes to the shell environment. I'd like it to work on .gz files, more than .cap files, as the windows topic suggests.

Could someone hint me on how to do this?

http://ask.wireshark.org/questions/12799/how-to-convert-multiple-pcap-files-to-csv

That is the windows topic for it.

Answer 1

Although this is not exactly a Wireshark question, I'm going to answer it, as I answered the other questions as well.

So, here we go.

#!/bin/bash
please change the path names if necessary
cap_files='/tmp/*.pcap.gz'
outfile='/tmp/outfile.csv'
tmpfile='/tmp/tmp_file.pcap'
tshark_cmd='tshark'
tshark_options='-n -T fields -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e tcp.analysis.ack_rtt'
for file in $cap_files
do
echo "processing file: $file"
gunzip -c $file > $tmpfile
echo "== File:  $file"  >> $outfile
$tshark_cmd -r $tmpfile $tshark_options >> $outfile
done
rm $tmpfile
echo "Results in: $outfile … Cheers Kurt"

This is just a small (working) example. Please modify it to your needs. However if you need further help with shell scripting, I suggest to ask the people at http://stackoverflow.com/ or http://superuser.com/

Regards
Kurt