This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Selecting correct field with tshark for output file csv

0

In Windows 7 I'm using tshark on the commandprompt to extract some information from pcaps and write them to csv files. In the csv file I want to write what is in the filter below, containing ""test""". In the pcap itself and the 'x509af.subject' field are multiple lines of x509sat.uTF8String values (in the ssl.handshake.certificate).

It looks like the output always shows the first value of the different uTF8Strings, but in this case I want to show the value of the 5th uTF8String. Just to be sure that the correct value has been printed to the csv file. I want "test" to show in the csv file, instead of a location which is currently showing.

Is there a way to tell tshark which uTF8String value can be printed to the csv file? Apparently the -Y filter does work, but the wrong field gets printed to the csv.

tshark.exe -r C:\pcaps\test.pcap -T fields -Y "ssl.handshake.certificate" -Y "x509sat.uTF8String == ""test""" -e frame.number -e frame.time -e ip.src -e ip.dst -e x509af.utcTime -e x509sat.uTF8String -E header=y -E separator=, -E quote=d -E occurrence=f > C:\pcaps\test.csv

asked 02 Feb '17, 08:14

r00t070's gravatar image

r00t070
6437
accept rate: 0%

edited 02 Feb '17, 08:36

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

1

There is a -E option to select the occurrence of a field, but it only gives the options of first, last or all:

-E <fieldsoption>=<value> set options for output when -T fields selected:
   ...
   occurrence=f|l|a      print first, last or all occurrences of each field

answered 02 Feb '17, 08:38

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%