This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Creating a csv file with tshark

0

So here's the deal. My goal is to take a capture from TCPDUMP and import it into a MySQL database.

I want to use wireshark to create a csv file using the "tshark -r Myfile -t fields" command. Once I have the csv file, i can use mysql to import the data into the database table.

I would like this csv file to look exactly like the csv file created by using the export feature in the wireshark gui. So it should look like this:

"No.","Time","Source","Destination","Protocol","Info" "1","0.000000","IntelCor_37:d2:aa","Broadcast","ARP","Who has 192.168.1.138? Tell 0.0.0.0"

So far this is what I have: tshark -r /home/ftpuser/capture1.cap -T fields -e frame.number -e frame.time -E separator=, -E quote=d > /home/ftpuser/capture1csv.csv

Thanks in advance!

asked 19 Mar '11, 18:15

mowchow's gravatar image

mowchow
6112
accept rate: 0%

2 Answers:

2
$ tshark -r test.pcap -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -E header=y -E separator=, -E quote=d -E occurrence=f > test.csv
frame.number,frame.time,eth.src,eth.dst,ip.src,ip.dst,ip.proto
"1","Mar 11, 2011 21:01:43.784303000","00:18:71:7a:90:36","00:50:56:97:2c:57","10.14.0.202","10.14.0.124","6"
"2","Mar 11, 2011 21:01:43.787954000","00:18:71:7a:90:36","00:50:56:97:2c:57","10.14.0.202","10.14.0.124","6"
"3","Mar 11, 2011 21:01:43.788908000","00:18:71:7a:90:36","00:50:56:97:2c:57","10.14.0.202","10.14.0.124","6"
"4","Mar 11, 2011 21:01:43.788910000","00:18:71:7a:90:36","00:50:56:97:19:17","10.14.0.202","10.14.0.128","6"
"5","Mar 11, 2011 21:01:43.798652000","00:00:5e:00:01:01","01:00:5e:00:00:12","10.14.7.1","224.0.0.18","112"
"6","Mar 11, 2011 21:01:43.801064000","00:19:bb:33:a4:b8","ff:ff:ff:ff:ff:ff","10.14.0.80","255.255.255.255","17"
"7","Mar 11, 2011 21:01:43.849226000","00:16:b9:1b:63:00","00:80:5a:68:ac:63","10.14.255.6","10.14.0.10","17"
"8","Mar 11, 2011 21:01:43.866250000","00:1e:0b:1e:7e:fe","00:80:64:60:92:2b","10.14.1.5","10.14.16.129","6"
"9","Mar 11, 2011 21:01:43.866723000","00:19:bb:33:a4:b8","00:19:bb:94:5c:80","10.14.0.80","10.14.7.5","17"

Protocol Numbers
6 = tcp
112 = vrrp
17 = udp
Here you can find more information about protocol numbers.

Note
The info column is not a filterable field.

answered 20 Mar '11, 08:34

joke's gravatar image

joke
1.3k4934
accept rate: 9%

Thanks joke.

That will work great. I was really hoping to get that info field some how but I guess ill have to do without.

(20 Mar '11, 09:23) mowchow

Perhaps you can add other -e fields.

arp
$ tshark -r test.pcap -T fields -e arp.src.proto_ipv4 -e arp.dst.proto_ipv4 -E  header=y 
arp.src.proto_ipv4,arp.dst.proto_ipv4
"10.14.1.5","10.14.1.1"
"10.14.1.1","10.14.1.5"
http
$ tshark -r test.pcap -T fields -e http.request.method -e http.request.uri -e http.host -E  header=y 
http.request.method,http.request.uri,http.host
"GET","/","www.google.nl"
(20 Mar '11, 11:24) joke

Hi Joke, i had a follow up question. Could you please tell me a way to put decrypted data into a csv file.

(14 May '17, 23:19) ameya_k

2

Now you can get the Info field: you have to use the latest Development Release.
See Wireshark Bug 2892.
Download the Development Release Version 1.9.0.
Use the following command:
$ tshark -i 2 -T fields -e frame.time -e col.Info

Output
Feb 28, 2013 20:58:24.604635000 Who has 10.10.128.203? Tell 10.10.128.1
Feb 28, 2013 20:58:24.678963000 Who has 10.10.128.163? Tell 10.10.128.1

Note
-e col.Info,
Use capital I

answered 28 Feb '13, 21:34

joke's gravatar image

joke
1.3k4934
accept rate: 9%