This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Change default header name when converting .pcap to .csv

0

I convert .pcap file to .csv using following command:

tshark -r %s -T fields -E separator=, -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.stream -e frame.len -e tcp.flags -e _ws.col.Info -E header=y -E quote=d -E occurrence=f > %s.csv

How can I change header name?

asked 16 Aug '17, 09:02

Zahra's gravatar image

Zahra
318913
accept rate: 0%

edited 16 Aug '17, 09:02


One Answer:

1

The easiest way is probably to rename them in Wireshark first and then re-run your tshark command. If you don't want to change the default column names in Wireshark, you could create a new profile for this purpose where you can specify the new column names and then just have tshark use that profile via the -C <profile> option.

Alternatively, you could make use of the "gui.column.format:..." option to specify and name each column however you wish. Run tshark -G column-formats for more help with that.

See the tshark man page for more information on all tshark options.

answered 16 Aug '17, 12:19

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%