Tshark - 将数据包信息从 pcap 导出到 cvs [英] Tshark - Export packet info from pcap to cvs
问题描述
我正在尝试使用 Tshark
以编程方式捕获数据包流.我使用的简化终端命令是:
I am trying to programmatically capture a stream of packets by using Tshark
. The simplified terminal command I am using is:
tshark -i 2 -w output.pcap
这非常简单,但我需要获取一个 .csv
文件,以便轻松分析捕获的信息.通过在 Wireshark 中打开 .pcap
文件并将其导出为 .csv,我得到的是一个结构如下的文件:
This is pretty straightforward, but I then need to get a .csv
file in order to easily analyze the information captured.
By opening the .pcap
file in Wireshark and exporting it in .csv what I get is a file structured as follows:
"No.","Time","Source","Destination","Protocol","Length","Info"
但是,同样,我需要以自动方式执行此操作.所以我尝试使用命令:
but,again, I need to do this in an automatic way. So I tried using the command:
tshark -r output.pcap -T fields -e frame.number -e ip.src -e ip.dst -e frame.len -e frame.time -e frame.time_relative -E header=y -E separator=, > output.csv
但是我在手动导出 .csv 时找不到 "Info"
字段的名称.有任何想法吗?谢谢!
but I can not find anywhere the name of the "Info"
field I get when manually exporting the .csv.
Any ideas? Thanks!
推荐答案
是的,如果您使用最新的开发版本,则可以.
请参阅 Wireshark 错误 2892.
下载开发发布版本 1.9.0.
使用以下命令:
$ tshark -i 2 -T fields -e frame.time -e col.Info
输出
2013 年 2 月 28 日 20:58:24.604635000 谁有 10.10.128.203?告诉 10.10.128.1
2013 年 2 月 28 日 20:58:24.678963000 谁有 10.10.128.163?告诉 10.10.128.1
Yes, you can if you use the latest Development Release.
See Wireshark Bug 2892.
Download the Development Release Version 1.9.0.
Use the following command:
$ tshark -i 2 -T fields -e frame.time -e col.Info
Output
Feb 28, 2013 20:58:24.604635000 Who has 10.10.128.203? Tell 10.10.128.1
Feb 28, 2013 20:58:24.678963000 Who has 10.10.128.163? Tell 10.10.128.1
注意
-e col.Info,
使用资本I
Note
-e col.Info,
Use capital I
这篇关于Tshark - 将数据包信息从 pcap 导出到 cvs的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!