This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there any way to directly capture in CSV using tshark?

0

Hello All,

I have been trying to capture a wireshark trace from tshark but i need to capture the output in CSV directly instead of first saving in pcap and then converting it. Could anyone help here in this case?

I have already used this command but it doesnt seem to help here tshark.exe -r "C:\aa_00001_20150826125423.pcap" -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -e _ws.col.info -E header=y -E separator=, -E quote=d -E occurrence=f > "C:\test11.csv"

asked 26 Aug '15, 02:52

rahul527's gravatar image

rahul527
6113
accept rate: 0%

edited 26 Aug '15, 04:58

What is your problem exactly with this command?

(26 Aug '15, 03:44) Christian_R

One Answer:

0

The command you are using is to read an existing .pcap file, whereas your question is about creating a new capture file as a .csv?

This works completely fine for me(Tested on Linux):

tshark -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -e _ws.col.info -E header=y -E separator="," -E quote=d -E occurrence=f > file.csv

The output looks like this:

"1","Aug 27, 2015 22:23:20.192158000BST","xx:xx:xx:xx:xx:xx","xx:xx:xx:xx:xx:xx","192.168.0.8","157.56.192.xxx","6",

The -r argument you used is exclusively for reading existing files.

Edit:

Also in your code the -E separator=, may be incorrect. You might need to put any string value in "" to represent text. Otherwise the application is looking for an argument called separator=, which doesn't exist depending on version type (My wireshark version wouldn't accept it).

Hope this helps, let me know if you need a hand with anything else. :)

answered 27 Aug '15, 14:07

tbm's gravatar image

tbm
29116
accept rate: 0%

edited 27 Aug '15, 14:31