MyTetra Share
Делитесь знаниями!
Время создания: 18.02.2014 10:19
Раздел: root - Linux
Запись: Yurons/mytetra/master/base/1392707997fi3b0p8d8v/text.html на

C overt the .pcap file to a .csv file using tshark

What is the "tshark" command for to converting the .pcap file to a .csv file? The packet capture data will be monitored using Splunk.

c onversion csv pcap tshark

One Answer:

oldest newest most voted


That depends on which particular fields you want to use in the CSV file. Once you've decided which named fields to put into the CSV file, then you would run a command such as

tshark -T fields -n -r {the pathname of the capture file} -E separator=, -e {first field name} -e {second field name} ... >{the pathname of the output file}

where {the pathname of the capture file} is the pathname of the capture file you're reading and {first field name}, {second field name} and so on are the names of the fields, and {the pathname of the output file} is the pathname of the output file, for example

tshark -T fields -n -r capture.pcap -E separator=, -e ip.src -e ip.dst ... >output.txt


How do i specify the output csv file pathname into this tshark command above??

(18 Apr '12, 17:52) misteryuku

I've updated the anser to show that, and gave an example.

(18 Apr '12, 23:41) Guy Harris ♦♦

What does "this" in "so this applies to a .txt file..." refer to?

The text output of TShark is specified by redirecting its output to a file no matter what type of output is produced.

The -T fields, -E separator=,, and -e flags applies to a CSV file, which means that each line contains a Comma-Separated list of Values, with NO keys. There IS no option to TShark to make it produce output with key=value pairs.

(18 Apr '12, 23:56) Guy Harris ♦♦

okay i see besides outputting the ip.src and the ip.dst , what is the syntax for outputting the values for no, time, protocol, length and Info field column names from the Wireshark Graphical User Interface??

(19 Apr '12, 00:05) misteryuku

There are no fields corresponding to the protocol and info columns, so you'd have to do something such as

tshark -n -r {the pathname of the capture file}

to have it print out the columns. The output would NOT be comma-separated, and would NOT have key= tags; it would look something like

1 0.000000 -> TCP 54 5165 > http [SYN] Seq=0 Win=16384 Len=0

2 0.000001 -> TCP 54 14378 > http [SYN] Seq=0 Win=16384 Len=0

3 0.000003 -> TCP 54 31944 > http [SYN] Seq=0 Win=16384 Len=0

H ow to filter From field in HTTP header?


Hi, I want to filter "From: " field in HTTP header of a packet but it seems wireshark doesn't understands that field. I am using wireshark verison 1.6.8.

What should be done to resolve this issue? Is there any newer version which supports this field?

Thanks, Ravi

h ttp

2 Answers:

oldest newest most voted


According to RFC2616 From: is a request header field.

This works on my system:

http.request and http contains "From: "

HOWEVER, this will only filter those requests with that string somewhere in the request. If you want to get the content of the field, there are these options:

  • run tshark with these options and parse the output with a script (find is just a simple example):

tshark -r http_from_sample.cap -R "http.request and http contains From:" -V | find "From:"

  • Write a Lua Listener or Post-Dissector
  • Extend the HTTP dissector to offer http.from or http.request_header.from



answered 11 Jun '12, 09:03

I tried both the options but I am getting nothing in output. Can you suggest any other option? or writing a dissector is the last option.

Regards, Ravi

(11 Jun '12, 09:23) RAVI_TANDON


maybe there is no From: header in your data. Please try my sample capture.

See frame #4. My filter works even on cloudshark.

(11 Jun '12, 09:30) Kurt Knochner ♦

Yeah...its indeed working on your sample capture. But its not working on my capture at:

It will be really helpful if you can comment that why its not working on my capture?

Thanks, Ravi

(11 Jun '12, 11:28) RAVI_TANDON

Dissection of your GPRS-Tunneled data stops at the TCP level, so there are no HTTP fields available.

(11 Jun '12, 12:45) Kurt Knochner ♦


There is a problem with the request. http1.cap does not end with a single CRLF (0x0d0a). Actually it's two CRLF. One for the last request header and one for an "empty line". The HTTP RFC defines this as a marker for the end of the request headers. Wireshark does not accept that as a valid HTTP request. I changed the last few bytes with a HEX editor and now the HTTP request gets dissected. Please check your GPRS encapsulation or the tool that generates the HTTP request.

(11 Jun '12, 14:13) Kurt Knochner ♦

showing 5 of 7 show 2 more comments


Wireshark allows configuring the HTTP dissector to parse custom header fields, allowing you to access the header field with display-filter syntax:


This requires no code modification or scripting. Follow the instructions from a similar post .

H ow to create a filter for a particular field?


Hi, I want to create a display filter for a particular field. Please help me to finish my task.

HTTP Header:

Hypertext Transfer Protocol

POST / HTTP/1.1\r\n
Content-Type: text/xml; charset=utf-8\r\n
SOAPAction: "create"\r\n

Here, I want to create filter for the "SOAPAction" field.

h ttp soap display-filter

One Answer:

oldest newest most voted


The HTTP field list doesn't include SOAPAction, so SOAPAction is added as a simple text item. You can filter for it in a couple ways:

Option 1: Custom HTTP header field

Add a custom header field to your HTTP preferences (requires Wireshark restart), which allows you to filter for the field.

  1. Open menu: Edit > Preferences > Protocols > HTTP > Custom HTTP headers fields
  2. Click New
  3. For Header name, enter SOAPAction
  4. For Field desc, enter Intent of SOAP HTTP request (or whatever)
  5. Click OK
  6. Restart Wireshark.
  7. In the Display Filter textbox, enter http.header.SOAPAction, and click Apply. The textbox background should turn green, indicating the display filter syntax is correct (and that our preference changes for the custom field SOAPAction took effect).

Option 2: String matching display filter

This display filter scans entire HTTP packets for the string "SOAPAction:". This might be inefficient compared to a custom HTTP header field, but it works well.

http contains "SOAPAction:"
Так же в этом разделе:
MyTetra Share v.0.64
Яндекс индекс цитирования