This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

pcap to text

0

I want to know how to convert a file .pcap to a plain text, i've tried using:

tcpdump -r input.pcap > output.txt

and it works, but the text inside the file isn't the same data in the pcap file when I open the pcap in wireshark

I want to export to text without using wireshark interface, I want to do it through the terminal in Linux.

asked 22 Sep '11, 20:35

julle's gravatar image

julle
1112
accept rate: 0%

edited 22 Sep '11, 21:05

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


2 Answers:

3

If you're looking for help with tcpdump, you're at the wrong place. See the tcpdump man page or post your question to the tcpdump mailing list.

On the other hand, if you meant to type tshark, then you should refer to the tshark man page, as there are many options to control the output, depending on your needs. You can also get help by running tshark -h.

One quick example, just to get you started, is: tshark -V -r input.pcap > output.txt.

answered 22 Sep '11, 21:05

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

1

tcpdump dissects packets differently from Wireshark, so tcpdump -r input.pcap > output.txt won't produce a dissection like that of Wireshark.

As Chris Maynard noted, you need to use a program that dissects packets the same way Wireshark does; TShark uses the same dissector code that Wireshark does, so it's the program to use.

answered 23 Sep '11, 00:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%