I am trying to capture traffic from an ethernet using tshark, then convert it to txt for analysis, I am using the following command:
tshark -N n -T fields -i ethernet -e "frame.number" -e "_ws.col.Time" -e "_ws.col.src" -e "_ws.col.dstn" -e "_ws.col.Proto" -e "_ws.col.Len" -e "_ws.col.Info" -E header=y -E separator=, > C:\DataCapture\capture.csv
However, the output is not displaying all the columns, the length and the Info are missing as showing below:
frame.number _ws.col.Time _ws.col.Src _ws.col.Dstn _ws.col.Proto _ws.col.Len _ws.col.Info
1 0.203766 192.168.0.104 224.0.0.251 MDNS
I also tried using dumpcap, save to a file and convert, but I have received the same result, all options I tried (that I found online) give the same output, no length nor info
Just to keep in mind that I need it in text for clearer processing, and smaller size, and I don't want to keep converting from format to another as I am working on large traffic.
My tshark version is 4.0.4
Thanks,
Ok, after a couple of days of investigations, I came across a way to extract (or filter) the pcapng file to a text with any information available, what I have seen online so far is using the suffix _ws.col but this does not work with all the information available, except of the source IP, Destination IP, and Protocol, (almost) everything else will display empty field.
Just one note here, I am not sure this is how it meant to be or just a workaround
So, I extracted a single packet, as per below and started experimenting with it, and the way to do it is that you can pick ANY expression between the " " and it should work, here is an example of a code I tried:
tshark -N n -r file.pcapng -T fields -e frame.number -e ip.src -e ip.dst -e ip.proto -e frame.len -e eth.src_resolved -E header=y -E separator=, > file.txt
and here is the output of that packet extracted from the text file:
frame.number,ip.src, ip.dst, ip.proto, frame.len, eth.src_resolved
1, 248.79.112.255, 192.168.0.111, 6, 174, 00:0c:29:ef:e5:71
I just (TABED) the result above to make it easier to read, otherwise it is packed with , separation.
Here is the single packet extract:
[
{
"_index": "packets-2023-04-12",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.section_number": "1",
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "\\Device\\NPF_{xxx-xxx-xxx-xxx-xxx}",
"frame.interface_description": "Ethernet0"
},
"frame.encap_type": "1",
"frame.time": "Apr 12, 2023 21:59:31.723135000 xxxx TZ Standard Time",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1681325971.723135000",
"frame.time_delta": "0.000000000",
"frame.time_delta_displayed": "0.000000000",
"frame.time_relative": "0.000000000",
"frame.number": "1",
"frame.len": "174",
"frame.cap_len": "174",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "eth:ethertype:ip:tcp"
},
"eth": {
"eth.dst": "00:0c:29:28:5a:e9",
"eth.dst_tree": {
"eth.dst_resolved": "00:0c:29:28:5a:e9",
"eth.dst.oui": "3113",
"eth.dst.oui_resolved": "VMware, Inc.",
"eth.addr": "00:0c:29:28:5a:e9",
"eth.addr_resolved": "00:0c:29:28:5a:e9",
"eth.addr.oui": "3113",
"eth.addr.oui_resolved": "VMware, Inc.",
"eth.dst.lg": "0",
"eth.lg": "0",
"eth.dst.ig": "0",
"eth.ig": "0"
},
"eth.src": "00:0c:29:ef:e5:71",
"eth.src_tree": {
"eth.src_resolved": "00:0c:29:ef:e5:71",
"eth.src.oui": "3113",
"eth.src.oui_resolved": "VMware, Inc.",
"eth.addr": "00:0c:29:ef:e5:71",
"eth.addr_resolved": "00:0c:29:ef:e5:71",
"eth.addr.oui": "3113",
"eth.addr.oui_resolved": "VMware, Inc.",
"eth.src.lg": "0",
"eth.lg": "0",
"eth.src.ig": "0",
"eth.ig": "0"
},
"eth.type": "0x0800"
},
"ip": {
"ip.version": "4",
"ip.hdr_len": "20",
"ip.dsfield": "0x00",
"ip.dsfield_tree": {
"ip.dsfield.dscp": "0",
"ip.dsfield.ecn": "0"
},
"ip.len": "160",
"ip.id": "0x267a",
"ip.flags": "0x00",
"ip.flags_tree": {
"ip.flags.rb": "0",
"ip.flags.df": "0",
"ip.flags.mf": "0"
},
"ip.frag_offset": "0",
"ip.ttl": "64",
"ip.proto": "6",
"ip.checksum": "0x2978",
"ip.checksum.status": "2",
"ip.src": "123.123.123.123",
"ip.addr": "123.123.123.123",
"ip.src_host": "123.123.123.123",
"ip.host": "123.123.123.123",
"ip.dst": "192.168.0.111",
"ip.addr": "192.168.0.111",
"ip.dst_host": "192.168.0.111",
"ip.host": "192.168.0.111"
},
"tcp": {
"tcp.srcport": "2572",
"tcp.dstport": "80",
"tcp.port": "2572",
"tcp.port": "80",
"tcp.stream": "0",
"tcp.completeness": "0",
"tcp.len": "120",
"tcp.seq": "0",
"tcp.seq_raw": "410684482",
"tcp.nxtseq": "121",
"tcp.ack": "338765635",
"tcp.ack_tree": {
"_ws.expert": {
"tcp.ack.nonzero": "",
"_ws.expert.message": "The acknowledgment number field is nonzero while the ACK flag is not set",
"_ws.expert.severity": "4194304",
"_ws.expert.group": "150994944"
}
},
"tcp.ack_raw": "338765635",
"tcp.hdr_len": "20",
"tcp.flags": "0x0002",
"tcp.flags_tree": {
"tcp.flags.res": "0",
"tcp.flags.ae": "0",
"tcp.flags.cwr": "0",
"tcp.flags.ece": "0",
"tcp.flags.urg": "0",
"tcp.flags.ack": "0",
"tcp.flags.push": "0",
"tcp.flags.reset": "0",
"tcp.flags.syn": "1",
"tcp.flags.syn_tree": {
"_ws.expert": {
"tcp.connection.syn": "",
"_ws.expert.message": "Connection establish request (SYN): server port 80",
"_ws.expert.severity": "2097152",
"_ws.expert.group": "33554432"
}
},
"tcp.flags.fin": "0",
"tcp.flags.str": "··········S·"
},
"tcp.window_size_value": "64",
"tcp.window_size": "64",
"tcp.checksum": "0xe582",
"tcp.checksum.status": "2",
"tcp.urgent_pointer": "0",
"Timestamps": {
"tcp.time_relative": "0.000000000",
"tcp.time_delta": "0.000000000"
},
"tcp.analysis": {
"tcp.analysis.bytes_in_flight": "120",
"tcp.analysis.push_bytes_sent": "120"
},
"tcp.payload": "58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58",
"tcp.segment_data": "58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58:58"
}
}
}
}
]
Hope this helps anyone who needs to extract specific information from pcapng file