So here's the deal. My goal is to take a capture from TCPDUMP and import it into a MySQL database. I want to use wireshark to create a csv file using the "tshark -r Myfile -t fields" command. Once I have the csv file, i can use mysql to import the data into the database table. I would like this csv file to look exactly like the csv file created by using the export feature in the wireshark gui. So it should look like this: "No.","Time","Source","Destination","Protocol","Info" "1","0.000000","IntelCor_37:d2:aa","Broadcast","ARP","Who has 192.168.1.138? Tell 0.0.0.0" So far this is what I have: tshark -r /home/ftpuser/capture1.cap -T fields -e frame.number -e frame.time -E separator=, -E quote=d > /home/ftpuser/capture1csv.csv Thanks in advance! |
$ tshark -r test.pcap -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -E header=y -E separator=, -E quote=d -E occurrence=f > test.csv frame.number,frame.time,eth.src,eth.dst,ip.src,ip.dst,ip.proto "1","Mar 11, 2011 21:01:43.784303000","00:18:71:7a:90:36","00:50:56:97:2c:57","10.14.0.202","10.14.0.124","6" "2","Mar 11, 2011 21:01:43.787954000","00:18:71:7a:90:36","00:50:56:97:2c:57","10.14.0.202","10.14.0.124","6" "3","Mar 11, 2011 21:01:43.788908000","00:18:71:7a:90:36","00:50:56:97:2c:57","10.14.0.202","10.14.0.124","6" "4","Mar 11, 2011 21:01:43.788910000","00:18:71:7a:90:36","00:50:56:97:19:17","10.14.0.202","10.14.0.128","6" "5","Mar 11, 2011 21:01:43.798652000","00:00:5e:00:01:01","01:00:5e:00:00:12","10.14.7.1","224.0.0.18","112" "6","Mar 11, 2011 21:01:43.801064000","00:19:bb:33:a4:b8","ff:ff:ff:ff:ff:ff","10.14.0.80","255.255.255.255","17" "7","Mar 11, 2011 21:01:43.849226000","00:16:b9:1b:63:00","00:80:5a:68:ac:63","10.14.255.6","10.14.0.10","17" "8","Mar 11, 2011 21:01:43.866250000","00:1e:0b:1e:7e:fe","00:80:64:60:92:2b","10.14.1.5","10.14.16.129","6" "9","Mar 11, 2011 21:01:43.866723000","00:19:bb:33:a4:b8","00:19:bb:94:5c:80","10.14.0.80","10.14.7.5","17" Protocol Numbers Note Thanks joke. That will work great. I was really hoping to get that info field some how but I guess ill have to do without.
(20 Mar '11, 09:23)
mowchow
Perhaps you can add other -e fields. arp $ tshark -r test.pcap -T fields -e arp.src.proto_ipv4 -e arp.dst.proto_ipv4 -E header=y arp.src.proto_ipv4,arp.dst.proto_ipv4 "10.14.1.5","10.14.1.1" "10.14.1.1","10.14.1.5"
(20 Mar '11, 11:24)
joke
Hi Joke, i had a follow up question. Could you please tell me a way to put decrypted data into a csv file.
(14 May '17, 23:19)
ameya_k
|
Now you can get the Info field: you have to use the latest Development Release. Note |