Ask Your Question
0

Problem with tshark and plain text output with column names

asked 2019-11-10 22:29:26 +0000

TacoTuesdayAgain gravatar image

What I'm trying to do is use tshark to read a pcap file and give me a human-readable, plain text output file with the correct columns including: absolute date, IP src, IP dst, and Info. Having a first line of the column header names would be nice to have.

The first problem is that I can't figure out what the fields are called. Even though Wireshark has a field called "Info", tshark doesn't think this is a valid name. I also can't get tshark to display any absolute date. I have not found it easy to figure out the -T -E -e options and clearly I am goofing something up.

Here is one run:

C:\Program Files\Wireshark>"c:\Program Files\Wireshark\tshark.exe" -T fields -E occurrence=l -e Info -e _ws.col.AbsTime -e ip.src -e ip.dst -r D:\capturefiles\Daily-capture-2019-11-10_00001_20191110143657.pcap
tshark: Some fields aren't valid:
        Info
edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2019-11-11 02:37:06 +0000

Guy Harris gravatar image

If by "human-readable, plain text output file with the correct columns" you mean output like the packet summary pane in Wireshark, there is an alternative to -T, -E, and -e.

Just try running, for example, "c:\Program Files\Wireshark\tshark.exe" -r D:\capturefiles\Daily-capture-2019-11-10_00001_20191110143657.pcap.

That defaults to printing the columns you've set up in Wireshark or, if you've never edited the column list in Wireshark, the default column list. You can set the column list by passing the argument -o gui.column.format:cols, where cols is a string containing a sequence of column title/column type pairs, with commas separating the column title and the corresponding type following it, as well as separating a column type from the next column's title.

The column titles must be quoted, with double quotes, if they contain spaces; that would require that the entire argument be quoted, and that the quoted argument itself contain quotes - that can be done on UN*X command lines by using single quotes for the entire argument and double quotes for the column titles, or by using double quotes for the entire argument and escaping the double quotes around the column titles with backslashes; I'm not sure how to do that on Windows command lines.

The column types are currently documented only in the output of tshark -G column-formats. %Cus is described as just "Custom"; that's used for custom columns that use a packet field, and the syntax is %Cus:{name}:{instance}:{resolved}, where {name} is the field name, {instance} is the ordinal number of the instance to display (0-origin, so 0 is the first instance in the packet, 1 is the second instance in the packet, etc.), and {resolved}is either R if the column is "resolved" or U if it's "unresolved". The distinction between "resolved" and "unresolved" is not documented and is not clear; it doesn't seem to work in a sensible fashion for the arp.opcode field, as the "unresolved" version is blank rather than the numerical value of the opcode.

There is currently no mechanism to cause the column titles to be written out as the first line.

edit flag offensive delete link more
0

answered 2019-11-10 23:07:09 +0000

Chuckc gravatar image

updated 2019-11-10 23:11:26 +0000

$ tshark -r ./nfl.pcapng  -T fields -e _ws.col.Time -e ip.src -e ip.dst -e _ws.col.Info -Eheader=y -c 3 -t ad
_ws.col.Time    ip.src  ip.dst  _ws.col.Info
2018-10-11 18:00:49.189070      192.168.1.70    72.21.91.29     54042 â+' 80 [ACK] Seq=1 Ack=1 Win=253 Len=1
2018-10-11 18:00:49.198412      72.21.91.29     192.168.1.70    80 â+' 54042 [ACK] Seq=1 Ack=2 Win=288 Len=0 SLE=1 SRE=2
2018-10-11 18:00:49.270602      192.168.1.70    23.62.236.26    54000 â+' 80 [ACK] Seq=1 Ack=1 Win=255 Len=1
$

Time formats available with -t:

  -t a|ad|d|dd|e|r|u|ud|?  output format of time stamps (def: r: rel. to first)
        "a"    for absolute
        "ad"   for absolute with YYYY-MM-DD date
        "adoy" for absolute with YYYY/DOY date
        "d"    for delta
        "dd"   for delta displayed
        "e"    for epoch
        "r"    for relative
        "u"    for absolute UTC
        "ud"   for absolute UTC with YYYY-MM-DD date
        "udoy" for absolute UTC with YYYY/DOY date

https://www.wireshark.org/docs/man-pa...

-e <field>
Add a field to the list of fields to display if -T ek|fields|json|pdml is selected. This option can be used multiple times on the command line. At least one field must be provided if the -T fields option is selected. Column names may be used prefixed with "_ws.col."

Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info

Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field. Fields are separated by tab characters by default. -E controls the format of the printed fields.
edit flag offensive delete link more

Comments

Thanks very much! I appreciate the details! Once I took out the -c 3 I started seeing expected results. He syntax looks simple enough.

TacoTuesdayAgain gravatar imageTacoTuesdayAgain ( 2019-11-11 00:19:19 +0000 )edit

Sorry - left that in from testing the option combinations.

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
Chuckc gravatar imageChuckc ( 2019-11-11 00:58:16 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-11-10 22:29:26 +0000

Seen: 4,376 times

Last updated: Nov 11 '19