0

I am trying to capture traffic from an ethernet using tshark, then convert it to txt for analysis, I am using the following command:

tshark -N n -T fields -i ethernet -e "frame.number" -e "_ws.col.Time" -e "_ws.col.src" -e "_ws.col.dstn" -e "_ws.col.Proto" -e "_ws.col.Len" -e "_ws.col.Info" -E header=y -E separator=, > C:\DataCapture\capture.csv

However, the output is not displaying all the columns, the length and the Info are missing as showing below:

frame.number    _ws.col.Time    _ws.col.Src    _ws.col.Dstn _ws.col.Proto   _ws.col.Len _ws.col.Info
1               0.203766         192.168.0.104  224.0.0.251     MDNS

I also tried using dumpcap, save to a file and convert, but I have received the same result, all options I tried (that I found online) give the same output, no length nor info

Just to keep in mind that I need it in text for clearer processing, and smaller size, and I don't want to keep converting from format to another as I am working on large traffic.

My tshark version is 4.0.4

Thanks,

Improve this question
4
  • You're specifying "_ws.col.Protocol" and "_ws.col.Length", but the column headers printed are "_ws.col.Proto" and "_ws.col.Len", so which is it? Are you sure you're specifying all the column names properly? Commented Apr 11, 2023 at 21:12
  • I just truncated the output to make in one line, but it was was as the command, however it does not make difference, both work for the first columns, but nothing on the last two, even using the (" ") did not make any difference in the output Commented Apr 11, 2023 at 23:25
  • You are doing a live capture and it's possible the information isn't available in 1-pass, which is all you get with tshark when live-capturing. You could try writing the packets to a .pcapng file and then post-processing that file with tshark including the -2 option to force 2-pass mode. Commented Apr 12, 2023 at 14:33
  • I tried both, I have been experimenting with it for the past two days, it looks like this what text/csv files can get, I have tried (almost) all combinations, and again, using live and pcapng file, nothing works, I am guessing that I have to convert to text, but without specifying any field, then extract my own info, and in this case I will use the dumpcap directly rather than tshark, but thanks for your interaction Commented Apr 12, 2023 at 19:09

1 Answer 1

Reset to default
0

Ok, after a couple of days of investigations, I came across a way to extract (or filter) the pcapng file to a text with any information available, what I have seen online so far is using the suffix _ws.col but this does not work with all the information available, except of the source IP, Destination IP, and Protocol, (almost) everything else will display empty field.

Just one note here, I am not sure this is how it meant to be or just a workaround

So, I extracted a single packet, as per below and started experimenting with it, and the way to do it is that you can pick ANY expression between the " " and it should work, here is an example of a code I tried:

tshark -N n -r file.pcapng -T fields -e frame.number -e ip.src -e ip.dst -e ip.proto -e frame.len -e eth.src_resolved -E header=y -E separator=, > file.txt

and here is the output of that packet extracted from the text file:

frame.number,ip.src,          ip.dst,        ip.proto, frame.len, eth.src_resolved
1,           248.79.112.255,  192.168.0.111, 6,        174,       00:0c:29:ef:e5:71

I just (TABED) the result above to make it easier to read, otherwise it is packed with , separation.

Here is the single packet extract:

[
  {
    "_index": "packets-2023-04-12",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.section_number": "1",
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "\\Device\\NPF_{xxx-xxx-xxx-xxx-xxx}",
            "frame.interface_description": "Ethernet0"
          },
          "frame.encap_type": "1",
          "frame.time": "Apr 12, 2023 21:59:31.723135000 xxxx TZ Standard Time",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1681325971.723135000",
          "frame.time_delta": "0.000000000",
          "frame.time_delta_displayed": "0.000000000",
          "frame.time_relative": "0.000000000",
          "frame.number": "1",
          "frame.len": "174",
          "frame.cap_len": "174",
          "frame.marked": "0",
          "frame.ignored": "0",
          "frame.protocols": "eth:ethertype:ip:tcp"
        },
        "eth": {
          "eth.dst": "00:0c:29:28:5a:e9",
          "eth.dst_tree": {
            "eth.dst_resolved": "00:0c:29:28:5a:e9",
            "eth.dst.oui": "3113",
            "eth.dst.oui_resolved": "VMware, Inc.",
            "eth.addr": "00:0c:29:28:5a:e9",
            "eth.addr_resolved": "00:0c:29:28:5a:e9",
            "eth.addr.oui": "3113",
            "eth.addr.oui_resolved": "VMware, Inc.",
            "eth.dst.lg": "0",
            "eth.lg": "0",
            "eth.dst.ig": "0",
            "eth.ig": "0"
          },
          "eth.src": "00:0c:29:ef:e5:71",
          "eth.src_tree": {
            "eth.src_resolved": "00:0c:29:ef:e5:71",
            "eth.src.oui": "3113",
            "eth.src.oui_resolved": "VMware, Inc.",
            "eth.addr": "00:0c:29:ef:e5:71",
            "eth.addr_resolved": "00:0c:29:ef:e5:71",
            "eth.addr.oui": "3113",
            "eth.addr.oui_resolved": "VMware, Inc.",
            "eth.src.lg": "0",
            "eth.lg": "0",
            "eth.src.ig": "0",
            "eth.ig": "0"
          },
          "eth.type": "0x0800"
        },
        "ip": {
          "ip.version": "4",
          "ip.hdr_len": "20",
          "ip.dsfield": "0x00",
          "ip.dsfield_tree": {
            "ip.dsfield.dscp": "0",
            "ip.dsfield.ecn": "0"
          },
          "ip.len": "160",
          "ip.id": "0x267a",
          "ip.flags": "0x00",
          "ip.flags_tree": {
            "ip.flags.rb": "0",
            "ip.flags.df": "0",
            "ip.flags.mf": "0"
          },
          "ip.frag_offset": "0",
          "ip.ttl": "64",
          "ip.proto": "6",
          "ip.checksum": "0x2978",
          "ip.checksum.status": "2",
          "ip.src": "123.123.123.123",
          "ip.addr": "123.123.123.123",
          "ip.src_host": "123.123.123.123",
          "ip.host": "123.123.123.123",
          "ip.dst": "192.168.0.111",
          "ip.addr": "192.168.0.111",
          "ip.dst_host": "192.168.0.111",
          "ip.host": "192.168.0.111"
        },
        "tcp": {
          "tcp.srcport": "2572",
          "tcp.dstport": "80",
          "tcp.port": "2572",
          "tcp.port": "80",
          "tcp.stream": "0",
          "tcp.completeness": "0",
          "tcp.len": "120",
          "tcp.seq": "0",
          "tcp.seq_raw": "410684482",
          "tcp.nxtseq": "121",
          "tcp.ack": "338765635",
          "tcp.ack_tree": {
            "_ws.expert": {
              "tcp.ack.nonzero": "",
              "_ws.expert.message": "The acknowledgment number field is nonzero while the ACK flag is not set",
              "_ws.expert.severity": "4194304",
              "_ws.expert.group": "150994944"
            }
          },
          "tcp.ack_raw": "338765635",
          "tcp.hdr_len": "20",
          "tcp.flags": "0x0002",
          "tcp.flags_tree": {
            "tcp.flags.res": "0",
            "tcp.flags.ae": "0",
            "tcp.flags.cwr": "0",
            "tcp.flags.ece": "0",
            "tcp.flags.urg": "0",
            "tcp.flags.ack": "0",
            "tcp.flags.push": "0",
            "tcp.flags.reset": "0",
            "tcp.flags.syn": "1",
            "tcp.flags.syn_tree": {
              "_ws.expert": {
                "tcp.connection.syn": "",
                "_ws.expert.message": "Connection establish request (SYN): server port 80",
                "_ws.expert.severity": "2097152",
                "_ws.expert.group": "33554432"
              }
            },
            "tcp.flags.fin": "0",
            "tcp.flags.str": "··········S·"
          },
          "tcp.window_size_value": "64",
          "tcp.window_size": "64",
          "tcp.checksum": "0xe582",
          "tcp.checksum.status": "2",
          "tcp.urgent_pointer": "0",
          "Timestamps": {
            "tcp.time_relative": "0.000000000",
            "tcp.time_delta": "0.000000000"
          },
          "tcp.analysis": {
            "tcp.analysis.bytes_in_flight": "120",
            "tcp.analysis.push_bytes_sent": "120"
          },
          "tcp.payload": "58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58",
          "tcp.segment_data": "58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58"
        }
      }
    }
  }
]

Hope this helps anyone who needs to extract specific information from pcapng file

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.