How to extract full set of features from an existing pcap file using tshark or any other tool?

Question

I am new to network traffic analysis.

I have used the following Tshark command, but no luck.

C:\Program Files\Wireshark>tshark -r C:\Users\Ravi\Desktop\IDS-augustdocuments\iscxdataset\testbed13jun.pcapCopy\split\small_00057_20100613213752.pcap separator=, -R "tcp.dat a" -T fields frame.number -e appName -e totalSourceBytes > C:\Users\Ravi\Desktop\IDS-augustdocuments\iscxdataset\testbed13jun.pcapCopy\split\18oct.csv tshark: "=" was unexpected in this context.

Any suggestions to extract features like Direction ( for the flows), totalSourceBytes, totalDestinationBytes, totalDestinationPackets, totalSourcePackets, sourceTCPFlagsDescription etc.

C:\Program Files\Wireshark>tshark -r C:\Users\Ravi\Desktop\IDS-augustdocuments\iscxdataset\testbed13jun.pcapCopy\split\small_00057_20100613213752.pcap -T fields -e ip.src > C: \output.txt This command is working. I have tried and tested this, but what I need is the fields like appName, Direction ( of the flow like L2L, L2R etc.), totalSourcePackets etc. — RpB

Alfon. Alfon. · Accepted Answer · 2015-10-19T08:35:18

Yes. Bro IDS or Argus (Auditing Network Activit).

Argus example:

racluster -L0 -m proto -r filepcap.arg -s proto saddr daddr spkts dpkts sbytes dbytes

Proto            SrcAddr            DstAddr  SrcPkts  DstPkts     SrcBytes     DstBytes 
   udp     84.125.xxx.xxx            0.0.0.0     2634     2580       205131       317889
   tcp     84.125.xxx.xxx            0.0.0.0    34143    42585      6078099     48276978
   arp     84.125.xxx.xxx       84.xxx.xxx.x        3        3          126          180

Best Regards,

How to extract full set of features from an existing pcap file using tshark or any other tool?

3 Answers