This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract to Csv selected data

0

Hi

I'd like to extract selected data in the packet details. Payload length, duration and bits. How can I do this? I see payload length and bits in the packet details, but duration in statistics-conversations.

How can I get these data from a capture to a CSV?

Here's the image migrated from the comment below: alt text

asked 08 Sep '16, 12:04

Rsharkz's gravatar image

Rsharkz
5223
accept rate: 0%

edited 08 Sep '16, 22:07

sindy's gravatar image

sindy
6.0k4851


One Answer:

0

If you want to avoid (or at least minimize) any post-processing, you can use tshark with -T fields -e field1 -e field2 -e field3 -E separator=, command line parameters to get a file with a line field1,field2,field3 representing each frame in the capture (see the tshark manual page for details about separators and handling of multiple instances of the same field in a single frame, as you need to configure also an instance separator if you decide to print all of them). But what exactly do you mean by the "duration" you can get in statistics in the context of a csv file with one line per frame?

answered 08 Sep '16, 12:47

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Hi sindy,

thanks for your answer. I have attached an image showing the field that i want. It is called Duration (I circled the field in red in the image). To get the duration, i clicked on statistics, and then conversations. My tshark is not coming up (im using windows 8.1). any idea why?

The image is in the question.

(08 Sep '16, 17:13) Rsharkz

@Rsharkz,

a housekeeping note: an Answer must answer the original Question, hence I've converted your post into a Comment. To do that, I had to migrate the picture to the Question, as pictures in Comments kill page layouts.

To the subject: I did suspect that you had in mind the duration of a conversation, but I better asked because it was (and still is) not clear to me how you'd want to combine columns from the statistics view (one line per conversation which may contain multiple frames) with columns from frame dissection (one line per frame which makes just a part of a conversation).

Do you want the lines of the resulting csv to represent the individual frames but have the "conversation duration" column at each of the lines which gives the duration of the conversation to which that line's source frame belongs?

(08 Sep '16, 22:18) sindy

@sindy

Thanks and noted the house rules, apologies as I just started in the forum :)

Yes, I want the lines of the resulting csv to have a line per frame, which includes the duration of the conversation.

Is the duration of conversation per frame the total amount of time a packet completes its communication. Ideally, I would like to monitor how long each packet takes to complete the entire session.

The statistics inside tshark - can we create custom fields to perform a subtraction or an addition or average? For example, I'd like to find out the average no of packets or packet length received every minute. I probably can run something off the CSV, but just want to find out if tshark has an option for that.

(08 Sep '16, 23:36) Rsharkz

Is the duration of conversation per frame the total amount of time a packet completes its communication.

Please reword this sentence - it looks to me as if something is missing in it.

Ideally, I would like to monitor how long each packet takes to complete the entire session.

Same case. I admit I'm not a native English speaker so I may miss some grammar constructions.

(08 Sep '16, 23:47) sindy

hi sindy. How do I use tshark to extract the duration column in the screenshot (the image you moved to the question)?

That's what I would like to do. Thanks!

(12 Sep '16, 20:18) Rsharkz

The closest possibility to what you want is

tshark -r your_input_file_name -Q -z conv,tcp > your_output_file_name.csv

except that the output is not a literal csv - the values in the output table are not separated by commas but by spaces and, occasionally, some additional formatting character sequences like <->, so you'll have to do a bit of text processing.

(12 Sep '16, 22:10) sindy
showing 5 of 6 show 1 more comments