This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

convert the pcap file to csv in asp.net web application

0

Hi, I have a pcap file and i am developing a web application from where user will upload a pcap file, then User will click on Process button. Now i want to process that pcap file and want to INSERT/Add all data of pcap file in sql server database.

So how can i do this ? I have tried to INSERT data of pcap file but the data did not added in a readable formate :-(

So now i want to know a method name to whom i will pass that pcap file and it will return a file in csv formate. Then it will be very simple to pass that file to sql server and data will be inserted in database table.

Thanks in advance, i am a newbie over here :-)

asked 23 Mar '16, 03:31

rabeeljaved's gravatar image

rabeeljaved
6114
accept rate: 100%


2 Answers:

0

Following is the command to convert a pCap file to csv format:

tshark -T fields -n -r {the pathname of the capture file} -E separator=, -e {first field name} -e {second field name} ... >{the pathname of the output file}

Where {the pathname of the capture file} is the pathname of the capture file you're reading and {first field name}, {second field name} and so on are the names of the fields, and {the pathname of the output file} is the pathname of the output file.

Here is the final command of TShark to convert pCap file to CSV file format:

tshark -T fields -n -r C:\capture.pcap -E separator=, -e ip.src -e ip.dst >C:\output.csv

Now we have the pCap file in CSV format, it is now possible to Insert/Add this in sql server database table.

Note: tshark = C:\Program Files\Wireshark\tshark.exe

Initiate an object of Process in your c# class and provide the path of cmd and pass above command line that will launch Tshark.exe and run the provided command and give us the output file at C:\output.csv. Now we can pick this file path and do what we want to do with this file like Insert in database table etc...

answered 29 Mar '16, 03:18

rabeeljaved's gravatar image

rabeeljaved
6114
accept rate: 100%

0

Note that there are already quite a few existing questions on this site regarding CSV output, have you looked at those?

tshark is the command line application in the wireshark suite that will read a pcap file and return the text version of the dissection of the traffic in the file.

The input file is specfied with a -r filename option.

To produce output in csv format you'll need to use the -T fields option and then -E separator=, and possibly -E header=y and then supply a list of all fields you want to see with multiple -e options, e.g. -e frame.number -e frame.time. The field names are those used in display filters in Wireshark and can be seen by opening the capture file in Wireshark, selecting the field in the packet details pane and then looking at the details in the status bar.

Because you have to specify the required fields for "CSV" output, you may find it easier to process XML output, in this case use -T pdml or -T psml.

answered 23 Mar '16, 04:28

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 23 Mar '16, 04:29

thanks @grahamb

But is there any way to convert pcap file in csv through a c# code/method instead of opening pcap file in Wireshark and converting it into csv or converting through command line....??? So here the thing, i want to upload the file through ASP.NET Web-Form application, after that i want to process that file and convert that file into csv??

I don't want to use command line kind of thing... :-(

(23 Mar '16, 05:46) rabeeljaved

Do you want dissected traffic, i.e. similar to that which the Wireshark GUI displays in the packet detail list, or do you simply want the pcap headers for each frame and the raw frame data?

A pcap file contains some headers and then the raw frame data.

If you want dissected traffic, then you'll need to use some form of dissection library, which is what tshark provides.

If you just want the raw frame data, then a .net library that can handle pcap files may suffice, a quick Google search turned up pcap.net and sharpcap. I have no idea how well these work, or if they can output in csv and in sufficient detail for your purposes.

(23 Mar '16, 06:51) grahamb ♦