This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I get the default output of TShark as a CSV?

0

I am not sure where i need to go to find the answer to my question. So if there is a link i missed please let me know. I dont mind trying to figure it out. But will gladly accept an answer too.

I am trying to save the output of this command to a CSV file preferably. saving straight to the csv is ideal as opening a pcap file and converting regularly does not sound fun either.

The command i am trying to replicate is:

tshark -i wlan1 subtype probereq

I have tried using command tshark -i wlan1 subtype probereq -V >testout.txt

asked 09 Jan '16, 19:55

thegeneral's gravatar image

thegeneral
11113
accept rate: 0%

edited 09 Jan '16, 21:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
One Answer:
active answersoldest answersnewest answerspopular answers
0

I assume from

The command i am trying to replicate is:

tshark -i wlan1 subtype probereq

that you want the columns that tshark -i wlan1 subtype probereq prints out to be written to a file as a CSV, i.e. with commas between the column values.

There's not a simple way to do that directly, but you can ask TShark to print various values from the packet with commas between them. If you want the standard set of columns, you could, at least with newer versions of Wireshark, do

tshark -i wlan1 -T fields -E separator=, -E quote=d -e _ws.col.No. -e _ws.col.Time -e _ws.col.Source -e _ws.col.Destination -e _ws.col.Protocol -e _ws.col.Length -e _ws.col.Info subtype probereq
permanent link

answered 09 Jan '16, 20:59

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 10 Jan '16, 00:40

Thank you for the help. This is getting the results i am looking for. But now the issue is writing those results to a file.

When i add -w testfile.txt it just prints to screen but nothing in the file. same with -w -v >testfile.txt

Any advise on writing the results to a capture file?

(13 Jan '16, 21:50) thegeneral

-w specifies to what file the raw captured data should be written. It is always an error to use -w with a file whose name ends in .txt, because TShark (and dumpcap, and tcpdump) do not write out raw captures as text.

If you don't need the raw packet file (to read later with Wireshark or tcpdump or some other program that can read pcap or pcapng files), then don't specify -w at all, just run tshark with the output redirected to the file, and no -w:

tshark -i wlan1 -T fields -E separator=, -E quote=d -e _ws.col.No. -e _ws.col.Time -e _ws.col.Source -e _ws.col.Destination -e _ws.col.Protocol -e _ws.col.Length -e _ws.col.Info subtype probereq >testfile.txt
(13 Jan '16, 21:54) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×91
×40
×40
×22

question asked: 09 Jan '16, 19:55

question was seen: 4,252 times

last updated: 13 Jan '16, 21:54

Related questions

TShark: Display Filter and Statistics

Is there any way to directly capture in CSV using tshark?

Tshark -w switch

Other formats missing from the "Save as" dialog

How to set column left-justified

"http.host" and "http.request.full_uri" filter

Wireshark freezing when restart/show options/List interfaces after stop the running live capture using PIPE file feed data

tshark filter from a file

Cannot open a capture file

Is there an inbuilt Log File limit from command line. files:200 generates thousands of logs.

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A