This is a static archive of our old Q&A Site. Please post any new questions and answers at

Is there any way to directly capture in CSV using tshark?


Hello All,

I have been trying to capture a wireshark trace from tshark but i need to capture the output in CSV directly instead of first saving in pcap and then converting it. Could anyone help here in this case?

I have already used this command but it doesnt seem to help here tshark.exe -r "C:\aa_00001_20150826125423.pcap" -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -e -E header=y -E separator=, -E quote=d -E occurrence=f > "C:\test11.csv"

asked 26 Aug '15, 02:52

rahul527's gravatar image

accept rate: 0%

edited 26 Aug '15, 04:58

What is your problem exactly with this command?

(26 Aug '15, 03:44) Christian_R

One Answer:


The command you are using is to read an existing .pcap file, whereas your question is about creating a new capture file as a .csv?

This works completely fine for me(Tested on Linux):

tshark -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -e -E header=y -E separator="," -E quote=d -E occurrence=f > file.csv

The output looks like this:

"1","Aug 27, 2015 22:23:20.192158000BST","xx:xx:xx:xx:xx:xx","xx:xx:xx:xx:xx:xx","","","6",

The -r argument you used is exclusively for reading existing files.


Also in your code the -E separator=, may be incorrect. You might need to put any string value in "" to represent text. Otherwise the application is looking for an argument called separator=, which doesn't exist depending on version type (My wireshark version wouldn't accept it).

Hope this helps, let me know if you need a hand with anything else. :)

answered 27 Aug '15, 14:07

tbm's gravatar image

accept rate: 0%

edited 27 Aug '15, 14:31