I have a pcap file from which I intend to extract the following features into a text file using tshark:
The first 6 features can be acquired by using the -e option, and the last two fields can be obtained using the -z conv,ip option. But I need to put them together in a file which has 8 columns, and these features should stack up side by side. Please help. Thanks in advance. asked 11 Feb '16, 05:37  sidsethu edited 11 Feb '16, 07:34 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
As the first 6 seem to be on a per packet basis and the last 2 are a summary of number of packets, I don't see how they would be printed on the same line.
Can you give an example of what you want?
Even so, I don't think tshark will be able to do it as per packet info is printed as the packet is dissected and summary info is printed at the end after all packets have been dissected.
Have you, by chance, expected that columns 7 an 8 would contain the intermediate summary value for the src and dst socket combination of that packet? I.e. the 15th occurrence of a packet with src socket A and dst socket B in the list would have 15 in column 7?
To @sindy: No, I want all occurrences of a packet with src A and dst B to have 45 as value of column 7, if there are 45 such packets.
To @grahamb: I do not necessarily want this to happen in one pass, a solution which involves storing in two separate files and then merging to get a tabular form with 8 columns is also welcome.
I think you'll have to use the tshark output for the first 6 columns, then post process using your favourite language to add the 7th and 8th, possibly using another run of tshark with the -z,conv option to get tshark to calculate the values for you.