This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Show protocol and port number using tshark

0

Hi, I would like to export [protocol,source port ,destination port] from pcap file as csv file.

Would it be possible to get results like [tcp,5423,22] [udp,9334,161].

I need something like if protocol column is tcp,print tcp.srcport in source port column and tcp.dstport in destination port column and same for udp as well.

I do not want create seperate columns for tcp ports and udp ports.

Can I do it with tshark -R??

asked 24 Jan '17, 10:25

subinjp's gravatar image

subinjp
417713
accept rate: 0%

One Answer:

3

You ought to be able to mostly achieve this with tshark by specifying the columns you want as follows (run "tshark -G column-formats" to find these):

tshark -r capture.pcap -Y "udp or tcp" -o "gui.column.format:\"Protocol\",\"%p\",\"SrcPort\",\"%S\",\"DstPort\",\"%D\"

The "Protocol" column will indicate the most upper-layer protocol present in the packet though and not specifically "tcp" or "udp", and if you want the fields comma-separated and surrounded by those [] brackets, then you'll have to figure out how to do that some other way.

You can probably get a bit closer if you first add all the columns you want within Wireshark first+, and then run tshark as follows (assuming your Wireshark columns are named as mine are below):

tshark -r capture.pcap -Y "udp or tcp" -T fields -e _ws.col.Protocol -e _ws.col.SrcPort -e _ws.col.DstPort -E separator=, > ports.csv

Again, the protocol name printed will be the most upper-layer protocol present in the packet. If you don't care about "udp" and "tcp" vs. their IP protocol numbers "17" and "6" respectively, then you could substitute "-e ip.proto" for "-e _ws.col.Protocol", but you should probably modify the filter to be "-Y "ip and (udp or tcp)" to be sure there's an IP header (as opposed to an IPv6 header, and you will still have to add the [] brackets somehow. If you have IPv6 traffic, then the field would be -e ipv6.nxt instead of -e ip.proto and the filter would be "-Y ipv6 and (udp or tcp)".

+Wireshark column preferences are added via Edit -> Preferences -> Columns -> Add. The so-called built-in field types of "Source Port" and "Destination Port" are probably what you're looking for ... besides whatever other columns you're interested in.)

answered 24 Jan '17, 13:01

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

@cmaynard Thank you very much for the answer.. The problem is packet capture is happening in a remote server. I have access to server only through command line(using ssh). So I am not able to add columns in to wireshark using gui. I am using only tshark to access the pcap file.

Can I change the format of columns or add columns using tshark itself?? or Is there any way to add columns in to wireshark without using gui.?

(24 Jan '17, 13:18) subinjp

You can change the columns using tshark alone using the -o "gui.column.format:... method described above.

You could also directly edit the Wireshark "preferences" file found in the Wireshark personal configuration folder. Search for "gui.column.format" in the file and then add/modify columns as desired. Take heed when editing though, and I would suggest making a copy of the file first in case you make a mistake or to be able to restore the original preferences file later. Better would be to create a separate profile and edit the profile's preference file instead, thus leaving the original one alone. You can specify the profile to use with tshark's -C <profile> option.

(24 Jan '17, 13:31) cmaynard ♦♦

Thank you..:):)

(24 Jan '17, 16:26) subinjp