This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Total Fields can be exported to CSV file

0

Hi All, I am working on tshark -T option to export fields to .csv file. I successfully performed the conversion using tshark -r input.pcap -T fields -e field_name -E separator=,

I have tried field name ip.src , ip.dst and frame.number. I would like to know the all field names which I can use in exporting .csv file.

Thanks,

asked 16 Feb '14, 21:52

Aditi's gravatar image

Aditi
16446
accept rate: 0%

edited 17 Feb '14, 02:04

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

There are lots of fields, use tshark -G fields to list them all

answered 17 Feb '14, 02:09

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

or check the online docs

http://www.wireshark.org/docs/dfref

(17 Feb '14, 02:17) Kurt Knochner ♦

Thanks Kurt,

As you suggested I got all the field list, upon checking them, I find lot other fields in all protocols, say IP protocol, I found ip.geoip.city and ip.src_rt. As per my knowledge, there is no filed for geoip.city or src_rt in IP protocol header. I could not understand that from where wireshark/ tshark will capture all this details if it is not at all available in packet itself....

(19 Feb '14, 22:37) Aditi

Some fields are synthesized by Wireshark from the information in the capture and sometimes using external sources.

In the case of the two fields mentioned, ip.geoip.city is set via ip to geographic location lookup and the second field ip.src_rt is set if the packet contains IP source routing options, either LSSR or SSRR, see RFC 791

(20 Feb '14, 05:44) grahamb ♦