Ask Your Question
0

Is there a field name for pcap filename?

asked 2019-05-09 11:23:20 +0000

pmqs gravatar image

updated 2019-05-09 12:19:33 +0000

I'm using a program that executes tshark to collect a series of fields from a large collection of pcap files. So internally it fires up tshark for each pcap file in turn.

Outputting the fields from the pcap is fine - I'm using the "-e" option to specify each of the fields names I need. Most of the time that is just fine, but I have a use-case where I also need to know the name of the pcap where there field data came from.

Is there a field name that corresponds to the pcap filename? Checked the fields reference here, but don't see anything.

If it doesn't exist I can change the program to get it to output the filename.

edit retag flag offensive close merge delete

Comments

Question: When you run tshark on a file, you already know the file name, so why would you need having it in a field?

SYN-bit gravatar imageSYN-bit ( 2019-05-09 11:33:22 +0000 )edit

The problem is I'm not running against a single pcap file. This is all happening within a program that invokes tshark against each pcap in turn. The tshark output doesn't show which file the data came from.

pmqs gravatar imagepmqs ( 2019-05-09 11:44:34 +0000 )edit

I have a script that indexes all my pcaps to extract fields and the script prepends the filename to the fields. So maybe you can do something similar in your setup? Have the output of tshark post-processed to include the filename there where you need it. If this does not work for you, could you please tell me more about what you are trying to accomplish?

SYN-bit gravatar imageSYN-bit ( 2019-05-09 12:05:54 +0000 )edit

Updated question to add more detail

pmqs gravatar imagepmqs ( 2019-05-09 12:20:25 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-05-09 12:44:00 +0000

Jaap gravatar image

There are no fields which give access to capture file properties, so these won't be accessible in this way.

edit flag offensive delete link more

Comments

Thanks. Will go with Plan "B" then :-)

pmqs gravatar imagepmqs ( 2019-05-09 12:45:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-05-09 11:23:20 +0000

Seen: 44 times

Last updated: May 09