How to extract full set of features from an existing pcap file using tshark or any other tool?

Question

I am new to network traffic analysis.

I have used the following Tshark command, but no luck.

C:\Program Files\Wireshark>tshark -r C:\Users\Ravi\Desktop\IDS-augustdocuments\iscxdataset\testbed13jun.pcapCopy\split\small_00057_20100613213752.pcap separator=, -R "tcp.dat a" -T fields frame.number -e appName -e totalSourceBytes > C:\Users\Ravi\Desktop\IDS-augustdocuments\iscxdataset\testbed13jun.pcapCopy\split\18oct.csv tshark: "=" was unexpected in this context.

Any suggestions to extract features like Direction ( for the flows), totalSourceBytes, totalDestinationBytes, totalDestinationPackets, totalSourcePackets, sourceTCPFlagsDescription etc.

Answer 1

I used Bro IDS to get the required fields from the conn.log file. 1) Configure the Bro IDS (Follow this link to install Bro IDS) https://www.digitalocean.com/community/tutorials/how-to-install-bro-ids-2-2-on-ubuntu-12-04 2) Start the Bro IDs 3) use the command "bro -r your pcap file.pcap" and this will generate a .log files in the current directory. 4) Inspect the logs like conn.log, dns.log, http.log, etc. for different information from the pcap log file.

Answer 2

Yes. Bro IDS or Argus (Auditing Network Activit).

Argus example:

racluster -L0 -m proto -r filepcap.arg -s proto saddr daddr spkts dpkts sbytes dbytes

Proto            SrcAddr            DstAddr  SrcPkts  DstPkts     SrcBytes     DstBytes 
   udp     84.125.xxx.xxx            0.0.0.0     2634     2580       205131       317889
   tcp     84.125.xxx.xxx            0.0.0.0    34143    42585      6078099     48276978
   arp     84.125.xxx.xxx       84.xxx.xxx.x        3        3          126          180

Best Regards,

Answer 3

You have to use quotes:
separator=","