I was recently looking at analysing packet data captured as a .pcap file and to filter information to standard output in the form of a .csv file. I was able to do this using the TShark executable within the Wireshark installation directory (http://www.wireshark.org/download.html).
My requirements were to filter the following information from the capture file:
Arrival Time, Source IPv4 address, Destination IPv4 address, Source Port, Destination Port, Header Length, Sequence number, Acknowledgment number, Acknowledgment flag, Push flag, Reset flag, Syn flag, Fin flag, Stream Index.
In order to filter this information I will need to specify the relevant field names that correspond to the above information, a full list of filters can be found at http://www.wireshark.org/docs/dfref/, but the below is what I will be using to filter from the capture file:
| Field Name | Description | Type |
| frame.number | Frame Number | Unsigned integer, 4 bytes |
| frame.time | Arrival Time | Date and Time |
| ip.src | Source | IPv4 address |
| ip.dst | Destination | IPv4 address |
| tcp.srcport | Source Port | Unsigned integer, 2 bytes |
| tcp.dstport | Destination Port | Unsigned integer, 2 bytes |
| tcp.len | Header Length | Unsigned integer, 1 byte |
| tcp.seq | Sequence number | Unsigned integer, 4 bytes |
| tcp.ack | Acknowledgment number | Unsigned integer, 4 bytes |
| tcp.flags.ack | Acknowledgment | Boolean |
| tcp.flags.push | Push | Boolean |
| tcp.flags.reset | Reset | Boolean |
| tcp.flags.syn | Syn | Boolean |
| tcp.flags.fin | Fin | Boolean |
| tcp.stream | Stream Index | Unsigned integer, 4 bytes |
As we are specifying filters we will need to state fields as the format of the text output (-T). Also, our preferred output is to a .csv file, we will specify the output options (-E) to be as follows:
| Output Option | Description |
| separator “,” | Select , as a separator. |
| header=y | Switch headers on |
| quote=d | Select double quotes for values. |
So how do I put this into a command line? Well as I am reading a capture file I will need to specify the -r argument to the filename and then pipe this output to a .csv file as below:
tshark.exe –r <.pcap> -e frame.number –e frame.time –e ip.src –e ip.dst –e tcp.srcport –e tcp.dstport –e tcp.len –e tcp.seq –e tcp.ack –e tcp.flags.acks –e tcp.flags.push –e tcp.flags.reset –e tcp.flags.syn –e tcp.flags.fin –e tcp.stream –Tfields -E separator=”,” –E header=y –E quote=d > <.csv>
From the output I will be able to analyse the information filtered, where header will match the field name.
As the capture was performed in Wireshark, the internal Stream Index (tcp.stream) reference becomes extremely useful as this allows for the TCP conversation to be followed.
Deans Blog 