I was wondering if there is a way to export specific information shown in Wireshark packet/frame information that are not readily visible in the frame bytes (interpreted information?). I am particularly interested in frame duration in microseconds (wlan_radio.duration) for wireless frames.
I have looked into data exporting on Wireshark help, but I was not able to find an option that exports the interpreted information.
I know that the implementation of what I am looking for is within packet-ieee80211-radio.c, and I am open to write my own code to extract those information, but it seems a bit complicated to me and I was wondering if there is already an existing way to do this.
I am also open to use other tools such as tcpdump, but tcpdump doesn't provide a frame duration as far as I know.
Thanks!
In Wireshark, you can add the field as a column, either by right-clicking on the field and then choosing "Apply as Column" or by the longer "Edit -> Preferences -> Columns" method, and then you can choose "File -> Export Packet Dissections -> As Plain Text..." (or whatever format you'd prefer).
You can also accomplish this with tshark (Wireshark's CLI companion tool), in one of 3 ways:
If you've already added the field of interest as a column in Wireshark, then simply running tshark -r file.pcap will cause every configured column in Wireshark to be printed.
You don't have to rely on Wireshark's column settings. You can directly control which columns are printed in tshark, independently of Wireshark's column settings, so you could use something like so:
tshark -r file.pcap -o 'gui.column.format:"No.","%m","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Duration","%Cus:wlan_radio.duration","Info","%i"'
NOTE: The format provided is for Unix. If you're using Windows, you should use double outer-quotes and escape all the inner double quotes, e.g., "gui.column.format:\"No.\",\"%m\", ..."
Run tshark -G column-formats for a list of "built-in" column formats. If a field isn't listed, then you can always use the "Some Field","%Cus:someproto.somefield" method for adding so-called custom columns.
You can make use of tshark's -T fields option to extract only fields of interest. This method is my preferred method for extracting data, and I find it especially useful for generating a .csv file, which you can then import into a spreadsheet for further analysis and data manipulation, including generating charts, graphs, etc. So, for example:
tshark -r file.pcap -T fields -E separator=, -E quote=d -Y "wlan_radio.duration" -e frame.number -e frame.time -e _ws.col.Source -e _ws.col.Destination -e _ws.col.Protocol -e frame.len -e wlan_radio.duration -e _ws.col.Info > file.csv
NOTE: Here I've intentionally used Wireshark columns to illustrate that you can do this and how to do it, but if you don't want to rely on Wireshark columns, then you should avoid using the _ws.col.foo fields and extract the data from the protocol fields directly, as in the case of wlan_radio.duration (and other fields shown).
On a final note, if you are going to add custom columns to Wireshark, such as the wlan_radio.duration field, then you might consider creating a specific profile for "WLAN analysis". That way if you're not working with 802.11 traffic, you can use the Default profile (or another profile better suited for analyzing that traffic), and only use the "WLAN" profile when it's relevant. Create a profile via "Edit -> Configuration Profiles...". You can easily switch profiles in Wireshark by clicking on the Profile in the lower-right corner of the status bar. Lastly, to cause tshark to use a specific profile, you'd use tshark -C "WLAN" ... or whatever the name of your profile is.