Hello,
I am using tshark to export a pcap to a csv.
The command looks like this (I have many more fields that I want to export, I removed them here to make it shorter):
tshark -r recording.pcap -T fields -e ip.proto -e ipv6.nxt -e frame.number -e frame.time_relative -e ... -E header=y -E separator=, -E quote=d > out.csv
This works for the most part and I get output lines in my CSV as I would expect them
"6",,"2552","53.591729000","Jan 25, 2011 19:53:16.076138000 CET","936","936","00:1a:8c:15:f9:80","40:61:86:9a:f1:f5","66.235.139.121","192.168.3.131",,,"80","56126","3233954145",,
But some lines in my CSV are "borken" like this
"1,1",,"5583","2.171949000","Feb 26, 2013 23:02:38.125121000 CET","70","70","00:90:7f:3e:02:d0","00:90:fb:34:44:24","68.85.69.49,172.16.133.109","172.16.133.109,64.30.236.34",,,,,,,
As you can see the protocol number (1) is there twice and the ip addresses are also "doubled"...
When I look at this packet in wireshark I can see that it is an ICMP packet and from 68.85.69.49 to 172.16.133.109.
It seems that tshark has somehow "merged" two packets into on row. Sometimes its even worse with 5 or more.
I used this export technique before and it always worked as expected.
Is there anything I could do about this?
I used the smallFlows.pcap and bigFlows.pcap from here
