This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'd like to write a script (I'm on Windows) to open a WS capture, apply filters to it and write the output to a file.

I can get the correct information out of Wireshark by applying the filters there. How/what should I write a script in to run the file through WS, apply the filters, and then dump the output to a file?

Thanks!

asked 01 Dec '11, 14:16

sideslope's gravatar image

sideslope
1111
accept rate: 0%


You just call up tshark.exe, which is the command line version of Wireshark, tell it to read the file, filter for whatever display filter you like, and write the file back out again. Here's an example, reading the file "sample.pcap", filter it for ARP packets and write it to "result.pcap":

tshark -r "sample.pcap" -R "arp" -w "result.pcap"

tshark.exe can be found in the Wireshark installation directory.

permanent link

answered 01 Dec '11, 14:33

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper! This does what I need. Is there a filter list of paramers somewhere? I need to filter on TCP conversation + Get requests. I see how to do the gets, but I don't see how to filter on conversations too.

Thanks again!

(05 Dec '11, 13:43) sideslope

If I need to filter a conversation I usually use the popup menu of the packet list and select "Conversation Filter" -> "TCP", which will apply a display filter the sockets of sender and receiver. It can be a bit annoying to filter on conversations by hand, so maybe you can take a look at the tcp stream index and filter on that without having to look for packets of each conversation.

(06 Dec '11, 01:51) Jasper ♦♦

Use TShark to get an overview of the TCP Conversations:

$ tshark -r Clmt_04.pcap -q -z conv,tcp
===============================================================================
TCP Conversations
Filter:<no filter="">
                                               |       <-      | |       ->      | |     Total     |

                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |

192.168.1.2:1386 <-> 93.184.220.20:80 111 142403 57 3618 168 146021 192.168.1.2:1367 <-> 93.184.220.20:80 54 73813 30 2061 84 75874 192.168.1.2:1344 <-> 204.9.178.11:80 43 57501 29 3622 72 61123

Some examples:

tshark -r Clmt_04.pcap -R "(ip.addr==192.168.1.2 && tcp.port==1386 && ip.addr==93.184.220.20 && tcp.port==80) || http.request"
tshark -r Clmt_04.pcap -R "(ip.addr==192.168.1.2 && tcp.port==1386 && ip.addr==93.184.220.20 && tcp.port==80) && http.request"  -w output1.pcap

tshark -r Clmt_04.pcap -R"(ip.addr==192.168.1.2 && tcp.port==1367 && ip.addr==93.184.220.20 && tcp.port==80) || (ip.addr==192.168.1.2 && tcp.port==1344 && ip.addr==204.9.178.11 && tcp.port==80)" tshark -r Clmt_04.pcap -R"((ip.addr==192.168.1.2 && tcp.port==1367 && ip.addr==93.184.220.20 && tcp.port==80) || (ip.addr==192.168.1.2 && tcp.port==1344 && ip.addr==204.9.178.11 && tcp.port==80)) && http.request" -w output4.pcap

You can find more information in the TShark man-page.

permanent link

answered 05 Dec '11, 21:34

joke's gravatar image

joke
1.3k4934
accept rate: 9%

edited 06 Dec '11, 01:07

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×31

question asked: 01 Dec '11, 14:16

question was seen: 6,620 times

last updated: 06 Dec '11, 01:51

p​o​w​e​r​e​d by O​S​Q​A