This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract Wireshark’s information column from a post capture to a text file using tshark?

0

Looking on how to extract the Information column that is displayed in wireshark from a completed capture using Tshark and dumping it into a text file. I know it can be done with Wireshark manually but I need to do it from command-line so it can be used in a script. I am familiar with some commands of Tshark but can't figure the correct switch to get the "Information Column".

tshark - r <input> -T fields (questionable part) > output.txt

Use case: After outputting the information column to a text file will use Powershell to extract any names of executables which have an executbale extension and have been downloaded i.e. .bat, .com, .scr, .exe, etc. This will be for a work network, obvious there should be many .exe's for various softwares updating periodically but any of the others will hopefully alert us to nefarious activities.

asked 26 Dec '14, 21:32

zer0day's gravatar image

zer0day
217811
accept rate: 60%


2 Answers:

0

Funny, it always seems to happen, soon as I ask a question I then find my answer excuse my process. The command below does what I was looking for.

tshark -V -r path\capture.cap > path\output.txt

answered 26 Dec '14, 22:05

zer0day's gravatar image

zer0day
217811
accept rate: 60%

2

If you are using windows, pls try

tshark -T fields _ws.col.Info

_ws.col I think that mean wireshark column and .Info must be samed with colume name

answered 29 Jan '15, 06:39

Hu%20Paul's gravatar image

Hu Paul
3112
accept rate: 0%

Was helpful, thanks for sharing

(31 Jan '15, 21:57) zer0day

@Hu Paul Thanks a lot for sharing this (y)

(25 Mar '16, 06:14) rabeeljaved