How to convert multiple .pcap files to .csv

Question

Hi,

I would like to know if it is possible to convert multiple wireshark capture files to csv files. For example there are 3 files in a folder, is there any way to convert all three with a command or does anyone know a way to do this? Any help is appreciated.

I am using a tshark command to convert one file at a time,instead of test.pcap and test.csv i tried using variables as well with wildcard characters.

tshark -T fields -n -r "C:\test.pcap" -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e tcp.analysis.ack_rtt >> "C:\test.csv"

I've also tried using a for command but im running into errors with syntax. This is the full script im working with.


set outfile=*.csv
set infile=*.pcap

cd C:\Program Files\Wireshark

for /f  %%f in ('dir /b C:\testfolder\') do tshark -T fields -n -r "C:\testfolder\%infile%" -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e tcp.analysis.ack_rtt >> "C:\testfolder\%outfile%"  %%f

Thank you in advance.

Accepted Answer

2

Please try this:


@echo off

set cap_files="*.cap"
set cap_folder="c:\testfolder\"

set outfile=c:\testfolder\outfile.txt

set tshark_cmd="c:\Program Files\Wireshark\tshark"
set tshark_options=-n -T fields -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e tcp.analysis.ack_rtt

echo. > %outfile%

for /r %cap_folder% %%f in (%cap_files%) do (
    echo Processing File: %%f

    REM echo == File:  %%f >> %outfile%
    %tshark_cmd%  -r %%f %tshark_options% >> %outfile%
)

echo.
echo Results in: %outfile% ... Cheers Kurt

Sample output:


C:\testfolder> loop.cmd
Processing File: c:\testfolder\input_1.cap
Processing File: c:\testfolder\input_2.cap

Results in: c:\testfolder\outfile.txt ... Cheers Kurt

Regards
Kurt

link

answered 17 Jul '12, 11:53

Kurt Knochner
8.2k●4●18●75
accept rate: 15%

edited 17 Jul '12, 11:57

Hi Kurt,

This worked perfectly for what I was trying to do, Thank you. Im going to tweak it to see if I am able to get seperate output files for each capture file.

Thanks again for your help.

(17 Jul '12, 12:25) nyc

good luck!

(17 Jul '12, 12:29) Kurt Knochner

Will above command able to include Payload information in the txt file?

(06 Feb, 23:15) Lim Gordon

1

If you adjust the tshark options and depending on the type of payload you are interested: Yes.

(07 Feb, 04:20) Kurt Knochner

Kurt, can you give me example of tshark option to include payload?

(13 Feb, 08:32) Lim Gordon

1

What payload are you interested in? TCP, UDP, HTTP, SMTP?
Can you describe in which format you need the payload (ASCII, HEX, RAW)
Can you describe how you want to process the payload data or what you are looking for?

(13 Feb, 08:38) Kurt Knochner

• What payload are you interested in? << TCP. • Can you describe in which format you need the payload. << RAW. • Can you describe how you want to process the payload data or what you are looking for? << Still exploring and play around data.

(21 Feb, 08:12) Lim Gordon

showing 5 of 7 show 2 more comments

How to convert multiple .pcap files to .csv

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions