This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Error in tshark command using -T fields

0

I would like to save it, but there is an error in this command, do you have any idea about it?

tshark -r /root/Desktop/a.pcap -T fields -e frame.number -e _ws.col.Info |grep "sogou" -E header=y -E separator=, >/root/Desktop/veri.csv

asked 01 Aug '17, 06:23

alfrego129's gravatar image

alfrego129
10336
accept rate: 0%

edited 01 Aug '17, 06:33

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

You are mixing tshark arguments and another command "grep". You can't do that, you should read up some more on using pipelines to join commands together. Move the grep to the end:

tshark -r /root/Desktop/a.pcap -T fields -e frame.number -e _ws.col.Info -E header=y -E separator=, | grep "sogou" >/root/Desktop/veri.csv

answered 01 Aug '17, 06:29

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 01 Aug '17, 06:29

It also looks like you are running tshark as root. Don't do that

(01 Aug '17, 06:30) grahamb ♦

Finally, please don't "spam" any other question that might possibly using -T fields with your specific question, that will only get you banned, instead raise a new question for your specific question.

(01 Aug '17, 06:32) grahamb ♦

Okey, sorry. "It also looks like you are running tshark as root. Don't do that" why it not proper? Thank you.

(01 Aug '17, 07:12) alfrego129
1

See the wiki item on security here.

Basically doing so exposes your system to running lots of code fed by external (possibly malicious) network traffic, all with root privileges and is totally unnecessary.

(01 Aug '17, 07:32) grahamb ♦

I used wmware, therefore, feel relax always. Thank you very much, for safe mode, do you recommend any way?

(01 Aug '17, 07:50) alfrego129

What's the OS you're using?

(01 Aug '17, 08:10) grahamb ♦

Kali Linux

(01 Aug '17, 08:36) alfrego129

What was the initial goal of having grep in the middle of the parameters? Did you intend to filter by contents of _ws.col.Info?

(01 Aug '17, 08:42) sindy
(01 Aug '17, 08:53) grahamb ♦

@sindy, I was trying to extract proper packets for DoS attack then I will implement them on Weka. @grahamb thank you, it is definitely really useful.

(01 Aug '17, 10:51) alfrego129

I was wondering whether the "sogou" string is only available in the _ws.col.Info or whether you can use -Y "frame contains sogou" to fulfil the same goal.

(01 Aug '17, 11:55) sindy

@sindy really it works excellent if I want to add features such as ip.dst -e tcp.dstport -e ip.proto -e tcp.flags.syn -e ip.flags how can I implement them on "tshark -r /root/Desktop/a.pcap -T fields -e frame.number -Y "frame contains sogou" >/root/Desktop/veri.csv" ?

(01 Aug '17, 12:52) alfrego129

I wonder what is the tshark man page lacking that complicates you the understanding of the concept. tshark takes a list of command line parameters which have names and in most cases values. So -Y "frame contains sogou" is one parameter whose name is Y and whose value is "frame contains sogou"; the quotation marks are there to indicate that the whole string including the spaces is the value of that single parameter.

Now some of the parameters make sense only once (-T, -Y, -r, -w) while others may be repeated as many times as needed if multiple values of that parameter make sense, like -e whose value is a name of protocol field to show in the output and only makes sense if value of -T is fields, or like -i which indicates from which interface to capture as you can capture from several interfaces simultaneously.

So in particular, you can add -e ip.dst -e tcp.dstport -e ip.proto -e tcp.flags.syn -e ip.flags right after -e frame.number and you should get these fields in the output.

Also important, there is no mandatory relationship between the field names used in display filter and field names listed using -e to be printed in the output - you can display-filter by some group of protocol fields and actually print a completely different group of protocol fields.

(01 Aug '17, 13:15) sindy

Yes, I have read man page. Thank you very much for all information, definitely, they were too useful.

(02 Aug '17, 10:22) alfrego129

@grahamb I would like to ask a question, however, due to your spam warning, I cannot ask, I did not know the rule of the forum and have been learning them. Thank you.

(02 Aug '17, 11:37) alfrego129
1

You have misunderstood @grahamb. There is nothing bad on asking a new Question - provided that you don't ask the same thing you've already asked before, only in different words. What he had in mind was that you have placed a comment to an already answered, loosely related question, instead of asking a separate Question pinpointed to your particular issue.

(02 Aug '17, 12:26) sindy

Okey, but I have tried to ask a question today and saw it;

"Akismet believes your question is spam. We're sorry, but Akismet believes your question is spam. If you believe this is an error, please contact the forum administrator. "

How can I fix this situation?

(02 Aug '17, 12:56) alfrego129
1

This is a known problem, already reported as Bug 13714. So far, there is no solution, partly because I don't think the cause is clear.

You could try re-wording your question or leaving out most text when creating it then try editing it afterward.

In your case, I wonder if it's possible that because you awarded all of your reputation points to @grahamb that it's causing a problem for users with 0 reputation?

(02 Aug '17, 13:14) cmaynard ♦♦
1

You can easily check whether @cmaynard is right regarding the 0 reputation as a cause. If you consider @grahamb's Answer to which this Comment belongs a correct one to your Question (I do but the decision is yours), click the checkmark icon next to it. Doing so awards some reputation points not only to @grahamb but also to you. And then you can try to ask a new Question again.

(02 Aug '17, 13:24) sindy
1

@alfrego129,

By devious means I have returned the 10 points you awarded me, try posting your question now. Also take note of @sindy's comment on accepting my answer.

(02 Aug '17, 13:55) grahamb ♦

Thank you @grahamb

(03 Aug '17, 02:57) alfrego129

@alfrego129, I've removed your last few comments as they really were related to your other question and had no place here.

(03 Aug '17, 05:45) grahamb ♦

@alfrego129, if an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(03 Aug '17, 07:12) cmaynard ♦♦
showing 5 of 23 show 18 more comments