Ask Your Question
0

Command line packet dissection?

asked 2022-09-30 11:53:38 +0000

IanW gravatar image

One of the tasks I use Wireshark for is to convert pcap capture files to csv format for statistical and anomaly analysis by other programs. These files tend to be very large and manually specifying the profile to use, opening the pcap, waiting for it to load, then specifying the output csv, and waiting for it to write can take a long time, and require a lot of memory.

I see that some parts of Wireshark can be driven from the command line, but I'm unclear if that includes pcap to csv conversion, using the full protocol analysis wireshark so admirably performs, and outputting those fields I've defined in a profile.

Anyone know how to get this to work?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-09-30 13:51:20 +0000

grahamb gravatar image

Use tshark, with the -T fields option along with multiple -e <field.name> options to specify the fields of interest and -E options to control output format.

edit flag offensive delete link more

Comments

Many thanks for that. There seem to be a few little quirks but I think I've got most of them sorted noe by adding in my profile file and setting the time formatting I want:

set WIRESHARK_CONFIG_DIR=C:/Users/PIWN01221/Downloads/WiresharkPortable64-development/Data    

C:\Users\PIWN01221\Downloads\WiresharkPortable64-development\App\Wireshark\tshark.exe -T fields -E header=y -E separator=, -E quote=d -C masterclass -t ud -r head.pcap > head.tshark.csv -e _ws.col.No. -e _ws.col.Time -e _ws.col.Delta -e _ws.col.Source -e _ws.col.SrcPo -e _ws.col.Destination -e _ws.col.DstPo -e _ws.col.Protocol -e _ws.col.Length -e tcp.len -e http.time -e http.response.code -e tls.alert_message.desc -e tcp.seq -e tcp.nxtseq -e tcp.ack -e tcp.seq_raw -e tcp.ack_raw -e tcp.analysis.out_of_order -e tcp.analysis.lost_segment -e tcp.analysis ...
(more)
IanW gravatar imageIanW ( 2022-10-04 09:44:24 +0000 )edit

Maybe need the -2 two-pass flag?

grahamb gravatar imagegrahamb ( 2022-10-04 10:01:20 +0000 )edit

Regrettably, the same.

IanW gravatar imageIanW ( 2022-10-04 11:40:59 +0000 )edit

Sometimes reporting a segment as tcp instead of http is because http reassembly is disabled but as you're using a profile (I'm assuming the same one for tshark and Wireshark) that would seem unlikely.

There is only one dissection engine, its used by both Wireshark and tshark (they are the UI over the engine) so any dissection differences are likely to be preference settings.

grahamb gravatar imagegrahamb ( 2022-10-04 14:23:41 +0000 )edit

Reassembly could well be involved: the message looks like it's been split into multiple datagrams. Both wireshark and tshark identify the first datagram at HTTP but tshark identifies all subsequent datagrams as TCP whereas wireshark as HTTP.

Yes, the tshark incantation points to my wireshark config.

IanW gravatar imageIanW ( 2022-10-05 06:00:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-09-30 11:53:38 +0000

Seen: 543 times

Last updated: Sep 30 '22