Ask Your Question

In Tshark, which character to use as field-separator to separate SMS text from a bunch of data, as any character can be used within the SMS text?

asked 2018-08-31 14:46:27 +0000

Jason gravatar image

I have a pcap file which has a bunch of data, and one of those data fields is SMS-text. It is dummy data ofcourse.

I am using Tshark and giving it a -E separator=CHARACTER, on the basis of which it separates fields into a CSV file. It uses a comma character as the default field separator.

Now the problem is that whenever a comma character occurs in SMS text, it separates the rest of the SMS text and makes it a separate field. If I add -E quote=d to the command, it separates at the occurence of " within SMS text and considers the rest of the SMS text as a separate field. This is a problem.

So my question is that how do I find a single character which I can use as a field separater in this case?

At the moment, my tshark command looks like this:

tshark -r inputFile.pcap  -T fields  -e field1  -e field2  -e smsTextField  -E quote=d  -E separator=,  >output.csv
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-08-31 15:58:29 +0000

cmaynard gravatar image

According to the tshark man page, the tab character should be the default separator; have you tried it either implicitly or explicitly, i.e. -E separator=/t? Ultimately, it may just take some trial-and-error to find a character that's not present in the text. To quote the man page: "Otherwise any character that can be accepted by the command line as part of the option may be used."

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-08-31 14:46:27 +0000

Seen: 2,256 times

Last updated: Aug 31 '18