This is a static archive of our old Q&A Site. Please post any new questions and answers at

Creating a csv file with tshark


So here's the deal. My goal is to take a capture from TCPDUMP and import it into a MySQL database.

I want to use wireshark to create a csv file using the "tshark -r Myfile -t fields" command. Once I have the csv file, i can use mysql to import the data into the database table.

I would like this csv file to look exactly like the csv file created by using the export feature in the wireshark gui. So it should look like this:

"No.","Time","Source","Destination","Protocol","Info" "1","0.000000","IntelCor_37:d2:aa","Broadcast","ARP","Who has Tell"

So far this is what I have: tshark -r /home/ftpuser/capture1.cap -T fields -e frame.number -e frame.time -E separator=, -E quote=d > /home/ftpuser/capture1csv.csv

Thanks in advance!

asked 19 Mar '11, 18:15

mowchow's gravatar image

accept rate: 0%

2 Answers:

$ tshark -r test.pcap -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -E header=y -E separator=, -E quote=d -E occurrence=f > test.csv
"1","Mar 11, 2011 21:01:43.784303000","00:18:71:7a:90:36","00:50:56:97:2c:57","","","6"
"2","Mar 11, 2011 21:01:43.787954000","00:18:71:7a:90:36","00:50:56:97:2c:57","","","6"
"3","Mar 11, 2011 21:01:43.788908000","00:18:71:7a:90:36","00:50:56:97:2c:57","","","6"
"4","Mar 11, 2011 21:01:43.788910000","00:18:71:7a:90:36","00:50:56:97:19:17","","","6"
"5","Mar 11, 2011 21:01:43.798652000","00:00:5e:00:01:01","01:00:5e:00:00:12","","","112"
"6","Mar 11, 2011 21:01:43.801064000","00:19:bb:33:a4:b8","ff:ff:ff:ff:ff:ff","","","17"
"7","Mar 11, 2011 21:01:43.849226000","00:16:b9:1b:63:00","00:80:5a:68:ac:63","","","17"
"8","Mar 11, 2011 21:01:43.866250000","00:1e:0b:1e:7e:fe","00:80:64:60:92:2b","","","6"
"9","Mar 11, 2011 21:01:43.866723000","00:19:bb:33:a4:b8","00:19:bb:94:5c:80","","","17"

Protocol Numbers
6 = tcp
112 = vrrp
17 = udp
Here you can find more information about protocol numbers.

The info column is not a filterable field.

answered 20 Mar '11, 08:34

joke's gravatar image

accept rate: 9%

Thanks joke.

That will work great. I was really hoping to get that info field some how but I guess ill have to do without.

(20 Mar '11, 09:23) mowchow

Perhaps you can add other -e fields.

$ tshark -r test.pcap -T fields -e arp.src.proto_ipv4 -e arp.dst.proto_ipv4 -E  header=y 
$ tshark -r test.pcap -T fields -e http.request.method -e http.request.uri -e -E  header=y 
(20 Mar '11, 11:24) joke

Hi Joke, i had a follow up question. Could you please tell me a way to put decrypted data into a csv file.

(14 May '17, 23:19) ameya_k


Now you can get the Info field: you have to use the latest Development Release.
See Wireshark Bug 2892.
Download the Development Release Version 1.9.0.
Use the following command:
$ tshark -i 2 -T fields -e frame.time -e col.Info

Feb 28, 2013 20:58:24.604635000 Who has Tell
Feb 28, 2013 20:58:24.678963000 Who has Tell

-e col.Info,
Use capital I

answered 28 Feb '13, 21:34

joke's gravatar image

accept rate: 9%