Hi,i am newbie to wireshark.I want export my pcap to csv. I need to export data in this format Date || Time || Src_IP || Dest_IP || Src_Port || Dest_Prt || Protocol || Classification(tcp flags,udp,icmp) I m using CLI to do this.
Questions:
I m using Tcp.flags and it results in decimal number and i dont know the value of tcp flags. Example:tcp.flag=18 Need Help! asked 25 Feb '15, 21:02 Viru edited 26 Feb '15, 01:55 Kurt Knochner ♦ |
2 Answers:
Answers:
Regards answered 26 Feb '15, 02:03 Kurt Knochner ♦ |
Answers:
You'll have to pipe the output of tshark through a tool, such as a sed, AWK, or Perl script, that modifies the output to do that. The "time stamp" is actually a date/time stamp, so "frame.time" includes both date and time (the internal representation in Wireshark is "seconds and fractions of a second since January 1, 1970, 00:00:00 UTC", which does not separate date and time).
Presumably you mean "how do I show tcp.srcport and udp.srcport in the same field in the CSV output?" If that's what you mean, there is no mechanism that allows you to do that, so, again, you'd have to pipe the output through something that modifies the output of tshark.
For TCP flags, convert the value to hex, and then see RFC 793 section 3.1 "Header Format" for the interpretation of that value. answered 26 Feb '15, 02:13 Guy Harris ♦♦ |