Reputation: 4352
How to save pcap file to text file using tshark
I have a pcap file : a.pcap which contains udp packets.
I can save this a.pcap to text file (.txt) with wireshark GUI. (File -> Save as -> k12 text file).
How can I do the same thing with tshark from command line. I want exactly the same output file as (File -> Save as -> k12 text file).
I have tried commands like:
tshark -T pdml -r 1.pcap -T fields -e data > a.xml
This will result in writing udp payload to a.xml.Not the exact thing I need.
Upvotes: 1
Views: 15800
Answers (1)
Reputation: 1155
I can save this a.pcap to text file (.txt) with wireshark GUI. (File -> Save as -> k12 text file).
"Text file" covers a number of text file formats, such as:
- a file showing the packet summaries as text (the topmost pane of Wireshark, by default);
- a file showing the packet details of each packet as text (showing, for each packet, the default middle pane of Wireshark);
- a file showing hex dumps of the packet data (showing, for each packet, the default bottommost pane of Wireshark);
- a combination of two of those, or of all three of those;
- a CSV file of columns from the packet summaries;
- a CSV file of particular fields from the packet;
- a PSML file showing, as XML, the components of the packet summaries;
- a PDML file showing, as XML, the components of the details of each packet;
- a JSON file showing the details of each packet;
- a C source file showing the raw hex data of the packets, with each packet being in a separate C array of byte values;
- a text packet capture format.
So there's no such thing as "the" text format to save a pcap file as; there are a bunch of choices.
"K12 text format" is a text packet capture format; it's what some Tektronix equipment can write out - in that sense, it's similar to writing out the raw hex data, plus some metadata. However, from a user-interface sense, it's more like "Save As..." in Wireshark, because it's a capture file format.
The way you do that is with
tshark -F {output file format} -r {input file} -w {output file}
so, if you want to read the pcap file and write it out as a "K12 text format" file, you can do it with
tshark -F k12text -r a.pcap -w a.txt
You can also do this with editcap:
editcap -F k12text a.pcap a.txt
Upvotes: 3
Related Questions
- How do I use tshark to print request-response pairs from a pcap file?
- To convert a pcap file to a json file(tshark)
- dumpcap, save to text file and line separated
- Tshark - Export packet info from pcap to cvs
- how to extract data from pcap file
- pcap2har for a pcap that was generated by tshark(-w option)
- How to extract full set of features from an existing pcap file using tshark or any other tool?
- convert txt packet data to pcap format to open it by Wireshark
- How to preserve timestamps in tshark output file?
- plaintext output from pcap in tshark (with options from wireshark?)