MyTetra Share
Делитесь знаниями!
О, смотри-ка какое хорошее место. Дайте два!
tshark&wireshark
18.02.2014
10:19
Раздел: root - Linux

Covert the .pcap file to a .csv file using tshark

What is the "tshark" command for to converting the .pcap file to a .csv file? The packet capture data will be monitored using Splunk.

conversion csv pcap tshark


One Answer:

oldestnewestmost voted

1

That depends on which particular fields you want to use in the CSV file. Once you've decided which named fields to put into the CSV file, then you would run a command such as

tshark -T fields -n -r {the pathname of the capture file} -E separator=, -e {first field name} -e {second field name} ... >{the pathname of the output file}

where {the pathname of the capture file} is the pathname of the capture file you're reading and {first field name}, {second field name} and so on are the names of the fields, and {the pathname of the output file} is the pathname of the output file, for example

tshark -T fields -n -r capture.pcap -E separator=, -e ip.src -e ip.dst ... >output.txt

link

How do i specify the output csv file pathname into this tshark command above??

(18 Apr '12, 17:52) misteryuku

I've updated the anser to show that, and gave an example.

(18 Apr '12, 23:41) Guy Harris ♦♦

What does "this" in "so this applies to a .txt file..." refer to?

The text output of TShark is specified by redirecting its output to a file no matter what type of output is produced.

The -T fields, -E separator=,, and -e flags applies to a CSV file, which means that each line contains a Comma-Separated list of Values, with NO keys. There IS no option to TShark to make it produce output with key=value pairs.

(18 Apr '12, 23:56) Guy Harris ♦♦

okay i see besides outputting the ip.src and the ip.dst , what is the syntax for outputting the values for no, time, protocol, length and Info field column names from the Wireshark Graphical User Interface??

(19 Apr '12, 00:05) misteryuku

There are no fields corresponding to the protocol and info columns, so you'd have to do something such as

tshark -n -r {the pathname of the capture file}

to have it print out the columns. The output would NOT be comma-separated, and would NOT have key= tags; it would look something like

1 0.000000 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx TCP 54 5165 > http [SYN] Seq=0 Win=16384 Len=0

2 0.000001 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx TCP 54 14378 > http [SYN] Seq=0 Win=16384 Len=0

3 0.000003 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx TCP 54 31944 > http [SYN] Seq=0 Win=16384 Len=0

How to filter From field in HTTP header?

0

Hi, I want to filter "From: " field in HTTP header of a packet but it seems wireshark doesn't understands that field. I am using wireshark verison 1.6.8.

What should be done to resolve this issue? Is there any newer version which supports this field?

Thanks, Ravi

http


2 Answers:

oldestnewestmost voted

0

According to RFC2616 From: is a request header field.

This works on my system:

http.request and http contains "From: "

HOWEVER, this will only filter those requests with that string somewhere in the request. If you want to get the content of the field, there are these options:

  • run tshark with these options and parse the output with a script (find is just a simple example):

tshark -r http_from_sample.cap -R "http.request and http contains From:" -V | find "From:"

Regards
Kurt

link

answered 11 Jun '12, 09:03

I tried both the options but I am getting nothing in output. Can you suggest any other option? or writing a dissector is the last option.

Regards, Ravi

(11 Jun '12, 09:23) RAVI_TANDON

1

maybe there is no From: header in your data. Please try my sample capture.

http://cloudshark.org/captures/132afd675db4

See frame #4. My filter works even on cloudshark.

(11 Jun '12, 09:30) Kurt Knochner ♦

Yeah...its indeed working on your sample capture. But its not working on my capture at:

http://cloudshark.org/captures/479d04160629

It will be really helpful if you can comment that why its not working on my capture?

Thanks, Ravi

(11 Jun '12, 11:28) RAVI_TANDON

Dissection of your GPRS-Tunneled data stops at the TCP level, so there are no HTTP fields available.

(11 Jun '12, 12:45) Kurt Knochner ♦

2

There is a problem with the request. http1.cap does not end with a single CRLF (0x0d0a). Actually it's two CRLF. One for the last request header and one for an "empty line". The HTTP RFC defines this as a marker for the end of the request headers. Wireshark does not accept that as a valid HTTP request. I changed the last few bytes with a HEX editor and now the HTTP request gets dissected. Please check your GPRS encapsulation or the tool that generates the HTTP request.

(11 Jun '12, 14:13) Kurt Knochner ♦

showing 5 of 7 show 2 more comments

2

Wireshark allows configuring the HTTP dissector to parse custom header fields, allowing you to access the header field with display-filter syntax:

http.header.From

This requires no code modification or scripting. Follow the instructions from a similar post.

How to create a filter for a particular field?

0

Hi, I want to create a display filter for a particular field. Please help me to finish my task.

HTTP Header:

Hypertext Transfer Protocol

POST / HTTP/1.1\r\n
Content-Type: text/xml; charset=utf-8\r\n
SOAPAction: "create"\r\n

Here, I want to create filter for the "SOAPAction" field.

http soap display-filter


One Answer:

oldestnewestmost voted

5

The HTTP field list doesn't include SOAPAction, so SOAPAction is added as a simple text item. You can filter for it in a couple ways:

Option 1: Custom HTTP header field

Add a custom header field to your HTTP preferences (requires Wireshark restart), which allows you to filter for the field.

  1. Open menu: Edit > Preferences > Protocols > HTTP > Custom HTTP headers fields
  2. Click New
  3. For Header name, enter SOAPAction
  4. For Field desc, enter Intent of SOAP HTTP request (or whatever)
  5. Click OK
  6. Restart Wireshark.
  7. In the Display Filter textbox, enter http.header.SOAPAction, and click Apply. The textbox background should turn green, indicating the display filter syntax is correct (and that our preference changes for the custom field SOAPAction took effect).

Option 2: String matching display filter

This display filter scans entire HTTP packets for the string "SOAPAction:". This might be inefficient compared to a custom HTTP header field, but it works well.

http contains "SOAPAction:"
 
Так же в этом разделе:
← Содержание ...
 
MyTetra Share v.0.35
Яндекс индекс цитирования