Geek Answers Handbook

Export pcap data to csv: timestamp, bytes, uplink / downlink, additional information

I was wondering if there is any tool that can analyze the pcap data and convert it to a csv file with the following information:

timestamp, bytes, uplink / downlink, more info ..

In principle, the uplink / downlink can be seen by the IP / MAC address, and additional information is really not needed, but I mean that this is the choice of a specific packet field, for example.

I tried to use some tools, but have not yet found the right one. Otherwise, I will write a small parser. Thanks in advance!

+10
source share
7 answers

TShark
Here are some examples:

  $ tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len> test1.csv

 $ tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len -E header = y -E separator =, > test2.csv

 $ tshark -r test.pcap -R "frame.number> 40" -T fields -e frame.number -e frame.time -e frame.time_delta -e frame.time_delta_displayed -e frame.time_relative -E header = y> test3.csv

 $ tshark -r test.pcap -R "wlan.fc.type_subtype == 0x08" -T fields -e frame.number -e wlan.sa -e wlan.bssid> test4.csv

 $ tshark -r test.pcap -R "ip.addr == 192.168.1.6 && tcp.port == 1696 && ip.addr == 67.212.143.22 && tcp.port == 80" -T fields -e frame.number -e tcp.analysis.ack_rtt -E header = y> test5.csv

 $ tshark -r test.pcap -T fields -e frame.number -e tcp.analysis.ack_rtt -E header = y> test6.csv
+16
source

Look no further, wirehark is your best friend. It can open your pcap file and let you specify the extra columns you want. After that, you can simply export them as csv. On the main interface, just right on any of the columns and select โ€œcolumn preferenceโ€. This opens a new window, which is very intuitive. Just add a new column and specify a field name. So simple.

I tried tshark, but believe me, it gets a little annoying, especially with this:

  tshark: Read filters were specified both with "-R" and with additional command-line arguments. "

This message appears if you include too many columns or for some unknown reason.

+3
source

Looks like you want Bro connection logs:

bro -r trace.pcap head conn.log

Output:

 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path conn #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes #types time string addr port addr port enum string intervacount count string bool count string count count count count 1258531221.486539 gvuu4KIHDph 192.168.1.102 68 192.168.1.1 67 udp - 0.163820 301 300 SF - 0 Dd 1 329 1 328 1258531680.237254 6nWmFGj6kWg 192.168.1.103 137 192.168.1.255 137 udp dns 3.780125 350 0 S0 - 0 546 0 0 1258531693.816224 y2lMKyrnnO6 192.168.1.102 137 192.168.1.255 137 udp dns 3.748647 350 0 S0 - 0 546 0 0

Now we analyze the corresponding fields:

 bro-cut ts id.orig_h id.orig_p id.resp_h id.resp_p service orig_bytes resp_bytes < conn.log | head 1258531221.486539 192.168.1.102 68 192.168.1.1 67 - 301 300 1258531680.237254 192.168.1.103 137 192.168.1.255 137 dns 350 0 1258531693.816224 192.168.1.102 137 192.168.1.255 137 dns 350 0 1258531635.800933 192.168.1.103 138 192.168.1.255 138 - 560 0 1258531693.825212 192.168.1.102 138 192.168.1.255 138 - 348 0 1258531803.872834 192.168.1.104 137 192.168.1.255 137 dns 350 0 1258531747.077012 192.168.1.104 138 192.168.1.255 138 - 549 0 1258531924.321413 192.168.1.103 68 192.168.1.1 67 - 303 300 1258531939.613071 192.168.1.102 138 192.168.1.255 138 - - - 1258532046.693816 192.168.1.104 68 192.168.1.1 67 - 311 300
+2
source

As noted in the comments on the question, to output ip addresses for frames in the capture file in csv format, use something like:

 tshark -r <filename> -t fields -e ip.addr

See tshark help for more information on options for setting the delimiter and quoting characters in csv output.

Field names can be determined using Wireshark to check the capture file and select a specific field in the details pane. The field name will be shown in the status bar at the bottom of the Wireshark window.

0
source

You can do this from the Wireshark application itself:

  • Make sure that you have already saved the file to disk ( File>Save ) (if you have only made a capture)
  • Go to File>Export Packet Dissesctions>as "CSV" [etc]
  • Then enter the file name (make sure you add the CSV at the end since WS don't do this!)

Voila

0
source

Is it possible that we can specify a field separator other than a comma? Since in my PCap file, if I set the separator =, then my data in the output file (.csv) does not look very good, because I have it in most columns.

So, I want to know that there is some way that we can set the field separator, for example, other characters, i.e. | (pip) etc.

thanks

0
source

Here is a python tool to split pcap into threads and output the extracted functions to a CSV file

Try using threads_to_weka tool in python

This requires a version of scapy installed on your system, and it is better to copy the scapy folder to the weka folder. And copy the wfe.py, tcp_stream.py and entropy.py files to the scapy folder. After you have done this, your current directory should look something like this:

 C:\Users\INKAKA\flows_to_weka\scapy

and copy the .pcap file to this folder and try this command:

 $python wfe.py -i input.pcap -t csv > output.csv

and you can also get the necessary functions by adding the necessary functions to tcp_stream.py and wfe.py.

For reference, you can visit: https://github.com/fichtner/flows_to_weka

0
source

More articles:


All Articles