This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to classify tcp.flags,udp and icmp?

0

Hi,i am newbie to wireshark.I want export my pcap to csv. I need to export data in this format Date || Time || Src_IP || Dest_IP || Src_Port || Dest_Prt || Protocol || Classification(tcp flags,udp,icmp)

I m using CLI to do this.

tshark -r test.pcap -T fields -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e tcp.srcport -e udp.srcport -e tcp.dstport -e udp.dstport -e ip.proto -e tcp.flags -E header=y -E separator=, -E quote=d -E occurrence=f > test.csv

Questions:

  1. How to separate date and time ?
  2. How to add logical or operation in -e tcp.srcport -e udp.srcport ? (I have tried many times but failed each time)
  3. How to classify tcp flags,icmp,udp?

I m using Tcp.flags and it results in decimal number and i dont know the value of tcp flags.

Example:tcp.flag=18

Need Help!

asked 25 Feb '15, 21:02

Viru's gravatar image

Viru
6113
accept rate: 0%

edited 26 Feb '15, 01:55

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


2 Answers:

1

Answers:

  1. You can't, as there is no extra field for date and/or time. So, you'll have to split it yourself after the export with a script
  2. There is no 'or' operator for commandline options. So, you either let tshark print both values and then ignore the empty one or you run tshark twice, once for UDP and once for TCP (-Y "udp" or -Y "tcp"), with the corresponing port options.
  3. The encoding of the tcp.flags is the same as in the TCP header. 00=no flags, 01=FIN set, 02=SYN set, 04=RESET set, etc. It's binary arithemtic. Please see the TCP RFC or any other resource on the internet about the TCP header and the definition of the flags. Your example (tcp.flags = 18) is in binary noation: 10010, which means: SYN set (02), ACK set (0F = 16). 02 + 16 = 18.

Regards
Kurt

answered 26 Feb '15, 02:03

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

1

Answers:

1.How to separate date and time ?

You'll have to pipe the output of tshark through a tool, such as a sed, AWK, or Perl script, that modifies the output to do that. The "time stamp" is actually a date/time stamp, so "frame.time" includes both date and time (the internal representation in Wireshark is "seconds and fractions of a second since January 1, 1970, 00:00:00 UTC", which does not separate date and time).

2.How to add logical or operation in -e tcp.srcport -e udp.srcport ? (I have tried many times but failed each time)

Presumably you mean "how do I show tcp.srcport and udp.srcport in the same field in the CSV output?" If that's what you mean, there is no mechanism that allows you to do that, so, again, you'd have to pipe the output through something that modifies the output of tshark.

3.How to classify tcp flags,icmp,udp? I m using Tcp.flags and it results in decimal number and i dont know the value of tcp flags.

For TCP flags, convert the value to hex, and then see RFC 793 section 3.1 "Header Format" for the interpretation of that value.

answered 26 Feb '15, 02:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%