Ask Your Question
0

TShark CSV export problem

asked 2020-01-04 16:26:24 +0000

NIoSaT gravatar image

Hello,
I am using tshark to export a pcap to a csv.
The command looks like this (I have many more fields that I want to export, I removed them here to make it shorter): 

tshark -r recording.pcap -T fields -e ip.proto -e ipv6.nxt -e frame.number -e frame.time_relative -e ... -E header=y -E separator=, -E quote=d > out.csv

This works for the most part and I get output lines in my CSV as I would expect them

"6",,"2552","53.591729000","Jan 25, 2011 19:53:16.076138000 CET","936","936","00:1a:8c:15:f9:80","40:61:86:9a:f1:f5","66.235.139.121","192.168.3.131",,,"80","56126","3233954145",,

But some lines in my CSV are "borken" like this

"1,1",,"5583","2.171949000","Feb 26, 2013 23:02:38.125121000 CET","70","70","00:90:7f:3e:02:d0","00:90:fb:34:44:24","68.85.69.49,172.16.133.109","172.16.133.109,64.30.236.34",,,,,,,

As you can see the protocol number (1) is there twice and the ip addresses are also "doubled"...
When I look at this packet in wireshark I can see that it is an ICMP packet and from 68.85.69.49 to 172.16.133.109.
It seems that tshark has somehow "merged" two packets into on row. Sometimes its even worse with 5 or more.

I used this export technique before and it always worked as expected.
Is there anything I could do about this?
I used the smallFlows.pcap and bigFlows.pcap from here

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-04 17:11:32 +0000

grahamb gravatar image

This is not a Wireshark or tshark issue, but due to the nature of the traffic.

Depending on the specific ICMP message, an ICMP packet can include portions of the original packet that caused the ICMP message to be transmitted. Looking at smallFlows.pcap there are ICMP Time-To-Live exceed packets that do include the original packet. As this original packet info is also dissected by Wireshark, the "duplicated" fields are included in the output.

To filter these out, either exclude ICMP as part of a filter expression, disable the ICMP dissector or limit the field output to the first occurrence with -E occurrence=f.

edit flag offensive delete link more

Comments

Oh I never noticed this before.
Wireshark handles it like I would expect: Source and Destination are a single IP and all other information are inside the payload part. So with -E occurrence=f tshark only outputs the first occurance and not others that might be inside the actual payload an not the header of the packet?

NIoSaT gravatar imageNIoSaT ( 2020-01-05 12:53:28 +0000 )edit

Yes, first occurrence limits the output to the first occurrence of a field in the packet. From the tshark man page:

occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).

grahamb gravatar imagegrahamb ( 2020-01-05 16:02:27 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-01-04 16:26:24 +0000

Seen: 541 times

Last updated: Jan 04 '20

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2