Reputation: 61
Automating exporting packet dissections using tshark
I am trying to automate the exporting of full dissections of a pcap to a .txt file using tshark. I am aware of the file->export packet dissections as option, but I am working to automate that. Right now I have tshark -X lua_script: -r > . The files enclosed in <> are paths. The lone > is the command for printing text. It will export packet summaries but not the full dissection. IS there any way to export the full dissection to the command line. These sample line are what is exported right now,
1 0.000000000 02:00:00:00:00:67 -> IPv4mcast_01:05:ee 0x8903 1467 Data Center Ethernet (DCE) protocol(Cisco)
2 0.000001180 10.81.130.23 -> 239.1.5.238 ST 1451 Messages: 14
3 0.006327070 02:00:00:00:00:67 -> IPv4mcast_01:05:ee 0x8903 1467 Data Center Ethernet (DCE) protocol(Cisco)
4 0.006328250 10.81.130.23 -> 239.1.5.238 ST 1451 Messages: 14
5 0.019039770 02:00:00:00:00:67 -> IPv4mcast_01:05:ee 0x8903 1467 Data Center Ethernet (DCE) protocol(Cisco)
This is what I want the exports to look like
No. Time Source Destination Protocol Length Info
2 0.000001180 10.81.130.23 239.1.5.238 ST 1451 Messages: 14
Frame 2: 1451 bytes on wire (11608 bits), 1451 bytes captured (11608 bits)
Ethernet II, Src: Solarfla_0e:e4:a1 (00:0f:53:0e:e4:a1), Dst: IPv4mcast_01:05:ee (01:00:5e:01:05:ee)
Internet Protocol Version 4, Src: 10.81.130.23 (10.81.130.23), Dst: 239.1.5.238 (239.1.5.238)
User Datagram Protocol, Src Port: 43464 (43464), Dst Port: 25238 (25238)
ST Block
Block Header
Sanity: 23559 (Should be 23559)
Header Version (Major: 0 Minor: 1)
Header Size in Bytes: 19
Payload Size in Bytes: 1386
Messages: 14
Environment Id: 0
Feed Id: 1 (Uqdf)
Compression Type: 0
Sender Id: 1
Sequence: 37495844
Message Header
Header Version (Major: 0 Minor: 1)
Header Length in Bytes: 31
Msg Type: 1 (Equity Quote)
Message Version (Major: 0 Minor: 1)
Msg Length in Bytes: 68
Flags: 0
Data Type: 1 (Equity)
Feed Id: 1 (Uqdf)
Feed Line: 1
Feed Seq Num: 7123431
Feed Sub Seq Num: 0
Exchange Time (10:59:59.978517000)
High: 9220
Low: 380047880
Note: this is what the packet dissections look like when using file->export packet dissections
Thank you in advance!
Upvotes: 3
Views: 2314
Answers (1)
Reputation: 61
To include all packet details in addition to packet summary lines, use:
tshark -PV2r capture.pcap > out.txt
Explanation of added options:
-Pincludes packet summary lines.-Vincludes packet details.-2performs a two-pass analysis. Certain details, such as 'response in frame #', are only included iftsharkmakes two passes over the data.
Upvotes: 3
Related Questions
- Tshark - How to show the Dissection Tree of tcp playload only with tshark?
- tshark: capture specific bytes from a packet data (content)
- How to dissect UDP msgpack using Wireshark/tshark?
- Extracting PCAP using Tshark
- How do I capture http response codes using tshark?
- List for Wireshark (tshark) Payload Protocols
- How To Extract RTP Packet Specific Fields From Wireshark Capture?
- how to display flowid alongwith frame number for each packet of a pcap using tshark/wireshark