I am creating a simple packet analyzer in Python in which analyzes Tshark .xml output files.
Tshark (command line equivalent of Wireshark) has a feature which allows to output all the packets to the .psml file (Packet Summary Markup Language). In Wireshark I can configure the contents of the exported .psml file by adding/removing tabs in the GUI. However, I can't find any option to do this by using a command line in Tshark.
Sample output from Wireshark:
<?xml version="1.0"?>
<psml version="0" creator="wireshark/2.0.0">
<structure>
<section>No.</section>
<section>Time</section>
<section>Source</section>
<section>Destination</section>
<section>Protocol</section>
<section>Length</section>
<section>Info</section>
<section>dBm</section>
</structure>
<packet>
<section>1</section>
<section>0.000000</section>
<section>xx:xx:xx:xx:xx:xx</section>
<section>Broadcast</section>
<section>802.11</section>
<section>223</section>
<section>Beacon frame, SN=1524, FN=0, Flags=........C, BI=100, SSID=xxx</section>
<section>4294967260 dBm</section>
</packet>
In Tshark I am getting the output without the section dBm (IEEE 802.11 RSSI). How to configure Tshark to get this data in .psml file?
PSML shows the columns that would show up in the summary pane in Wireshark or the output of TShark without -V, so you need to request the RSSI column.
Presumably by "adding/removing tabs" you mean "adding/removing columns".
Try running TShark with the command-line option
-o gui.column.format:'"No.", "%m", "Time", "%t", "Source", "%s", "Destination", "%d", "Protocol", "%p", "Length", "%L", "Info", "%i", "dBm", "%e"'
which specifies which columns to display - or to put in PSML output.
(Unfortunately, there's a bug in Wireshark 2.x where the dBm value is written in PSML as if it were unsigned, so, for example, -33 dBm shows up as 4294967263. I've checked in a fix, so it should be fixed when Wireshark 2.0.2 comes out. Wireshark 1.x doesn't have that bug.)