This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Parsing Pcap summary

0

Is it possible to output the pcap summary (using -z in tshark) in a specific format like csv/xml

asked 05 Dec '14, 13:44

nightwatcher's gravatar image

nightwatcher
11224
accept rate: 0%


One Answer:

1

Not within tshark -z io,stat (though I wish it could). It's doable with a script though.

The -z io,stat output will put all the capture file's statistics you're looking for into a single very long line and a "|" delimiter. There are a couple tricks to it though:

  1. The output line changes depending on how many statistics you are querying. Every new metric adds one more line, so I just have a script use the number of metrics to predict the "stats line" that contains all the actual data you want.

  2. The number of columns per metric you're trying to calculate is variable (eg: you'll get frame and byte counts with separate | delimiters if you query a normal display filter count, but you'll get a single field returned within one delimited cell if you query a function such as SUM or AVG. I actually solved this by always assuming there will be two field outputs per metric in the -z query, where a 'filler' metric will be added to my query just to make sure the "take every second field returned" rule in the script holds true.

I really do wish -z would just give a .csv output, though. People who forego the GUI to write out a longhand -z query are likely not the sort who would want pretty ASCII text output. Likely, they're using tshark because they want to automate it and the output makes it inherently more difficult for it to be used for that purpose.

Edit: For reference, at least for the -z io,stat to be an option here I've submitted bug/feature request 10759. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10759

answered 05 Dec '14, 15:12

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 05 Dec '14, 15:36

I just wanted the summary for rtp streams and sip stats to be put in variables but now I see that there is no other way other than doing regex and other non elegant file parsing to achieve the purpose.

(06 Dec '14, 17:07) nightwatcher