Ask Your Question

Extraction of field names using tshark

asked 2020-03-27 15:31:05 +0000

Sand gravatar image

I have very different type of pcap files and want to extract the field names from those files e.g. eth.dst, sctp.srcport in one go using tshark. I tried to find a magic command for that, but could not find it.

I want to convert the pcap file in the end into a csv file, but I need to have a list first, what fields there are....and "normal" looking at them from wireshark is not an option in the use case I have in mind.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2020-03-27 15:58:23 +0000

Sand gravatar image

thanks. it can be both linux or windows, since I will integrate it into a python script for both possibilities. I will check both approaches.

edit flag offensive delete link more

answered 2020-03-27 15:53:12 +0000

Chuckc gravatar image

updated 2020-03-27 15:53:30 +0000

If working on linux (or Windows with WSL):
tshark -r <filename> -T pdml | grep "field name" | sed -e "s/^.field name=\"//" | sed -e "s/\".$//" | sort | uniq

edit flag offensive delete link more


thanks, the WSL trick is not really helping, as basically I would force the user of the python script to install WSL and also to install and run the python stuff there...which basically means, that the script will not be used. The classical wireshark export to csv skips many details and I want I thought of tshark... but there one needs to know all the field names and can not just say "all" (at least not that I figured out)

Sand gravatar imageSand ( 2020-04-01 07:38:51 +0000 )edit

If it can done with PowerShell would that be acceptable?

Chuckc gravatar imageChuckc ( 2020-04-01 13:36:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-03-27 15:31:05 +0000

Seen: 716 times

Last updated: Mar 27 '20