This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Convert PCAP to CSV using tshark puts new lines in the middle of a CSV line

0

Hi, I have a problem in the data within the fields of a PCAP file. Some values contain \n, when I export the PCAP to CSV it's OK. (The info column contains the characters \n when I'm using tshark to convert multiple PCAPs I have a new line in the data and the CSV is corrupted.

Any ideas how I can fix that? To replace the character manually will be a problem. Does anybody know if the export to CSV functionality uses TSHARK or something else?

BTW I'm using Windows 8.1 if there's any difference.

Thank you.

asked 01 Jul '15, 08:20

glev's gravatar image

glev
6112
accept rate: 0%

edited 06 Jul '15, 16:32

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

what is your Wireshark version and what are the tshark CLI options?

(02 Jul '15, 16:41) Kurt Knochner ♦

my wireshark version is the most updated and the tshark options are: tshark -T fields -n -r capture.pcap -E separator=, -e ip.src -e ip.dst -e col.info > output.txt

(02 Jul '15, 23:43) glev

We would like to know the exact version, please add a comment with the contents of the Help -> About Wireshark dialog.

(03 Jul '15, 02:45) grahamb ♦

Version 1.12.6 (v1.12.6-0-gee1fce6 from master-1.12)

the info col is _ws.col.info in the cli command. The problem is that the info contains new lines and I need them to be encoded or replaced by \n string.

(03 Jul '15, 03:56) glev

Tried to reproduce, but I failed. Could you provide a trace ?

(03 Jul '15, 04:34) Christian_R

I don't have an error. The command is OK and everything is working, the only problem is that if I have a new line character in the info the result CSV output is with new line and not encoded character and it's corrupted CSV.

(03 Jul '15, 05:05) glev

The command works OK, the result I'm getting is corrupted CSV file with '\n' which corrupting the file instead of encoded one. This situation occurs when I have \n in the _ws.col.Info data.

To reproduce you can take any PCAP with \n in the info (HTTP request for example) and convert it with tshark to CSV and the result will be a CSV file with a new line instead of encoded new line.

For example:

Correct csv should be:

"192.168.0.1","Data info with new line\n some more data"

What you get from tshark: "192.168.0.1","Data info with new line some more data"

(05 Jul '15, 03:54) glev
1

What protocol put a newline character in the INFO column?

(05 Jul '15, 07:43) Hadriel

The protocol is MYSQL

(06 Jul '15, 13:44) glev
showing 5 of 9 show 4 more comments

One Answer:

0

That's a bug. I submitted bug 11344 for you, at: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11344

answered 06 Jul '15, 15:52

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

@glev: any chance you could attach your capture file to that bug? I can make the attachment private afterward if it contains something sensitive. It would be good to have something to test against.

(06 Jul '15, 15:55) Hadriel

Fixed in Wireshark 1.99, back-ported to 1.12, and 1.10. Should be available for you to use/verify right now in the automated builds server in: 1.99.8-324 or higher, and 1.12.7rc0-24 or higher.

(07 Jul '15, 14:34) Hadriel