How to get a csv with all pcap packet details?

0
votes

I want to create a CSV to import it on excel, containing all the packet details shown in wireshark.

Each row should correspond to a packet and the columns to the field details.

Using the following tshark command: 

tshark -r mycapturefile.cap -E -V

I can show the information I need like:

Frame 1077: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Aug 15, 2017 14:02:27.095521000 EDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1502820147.095521000 seconds

and other packet details...

What I want is that information provided with -V, so the -T fields option in wireshark is discarded. Wireshark export options also don't provide the data I need, only the pdml format, but I think is more tedius to parse.

I have searched for a tool, a script or parser with no results. Since each packet is different, make a personal parser may be difficult/tedious and considering people can extract this information but provide no sources of how to do it, there must be a method or tool that can do it.

Do you know any tool, script or method that already do this?

Thanks in advance.

1
parsingwiresharkpcappacket-capturetshark
What fields exactly are you interested in? All the fields from -V means ~50-100 columns depending on protocols...pchaigno
I'm interested in all files printed with the -V option. I know the number of fields depends on the type of protocol but what I want is to parse the -V output as a CSV and make an excel where the each row should correspond to a packet and the columns to the field details. All the packet details possible, in a "human readable" way. Size doesn't matter. I know I can write my own script to do it but I think there must be a way, tool or already-made parser that do thatnoex29

1 Answers

0
votes

There is a ton of information coming down. You gotta use that -Y display filter to whittle it down. The resulting text can then be parsed.

Try -Y "frame.number == 1077" -V and then parse the text that is returned.

In my case I wanted certificate information.

Function GetCertsFromWireSharkPackets2 ($CERTTEXT){
foreach($Cert in($CERTTEXT|?{$_ -match "Source:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Destination:.*\d{1,3}\.\d{1,3}\.\d{1,3}\.|Certificate:"} | %{$_.trim() -replace 'Source:','|Source:' -replace ":",'=' }) -join "`n"| %{$_.split('|')}|?{$_}) {
  $Cert|%{$Props = [regex]::matches($_,"(?sim)(?<=^).*?(?=\=)").value ; $Dups = [regex]::matches($Props,"(?sim)\b(\w+)\s+\1\b").value.split(' ') ; $values = [regex]::matches($_,"(?sim)(?<=\=).*?(?=$)").value.trim()}
  $PropsNoDups = ($Props -join "`n").replace(($Dups|select -first 1),'').split(10)|?{$_} ; 
  if(($PropsNoDups.count + $Dups.count) -ne $Props.count){$dups+=($dups|select -First 1)}
  for($X=1;$X -lt $Dups.count;$X++){$dups[$X] +=$X}
  $ValidProps = $PropsNoDups+$Dups ; $StitchCount = $Values.Count
  $ValidP_V = For($x=0;$x -lt $StitchCount;$x++){ '"'+$ValidProps[$x] + '"="' + $Values[$x] +'"'} ;$ValidP_V =($ValidP_V -join "`n")|?{$_} ; $ExpText = "New-Object psobject -Property @{`n"+$ValidP_V+"`n}"
Invoke-Expression($ExpText)|select Source, Destination, Certificate, Certificate1, Certificate2, Certificate3
} }


#Click refresh on a few browser tabs to generate traffic.

$CERTTEXT = .\tshark.exe -i 'Wi-Fi' -Y "ssl.handshake.certificate" -V -a duration:30


GetCertsFromWireSharkPackets2 $CERTTEXT

Source       : cybersandwich.com (107.170.193.139)
Destination  : KirtCarson.com (222.168.3.118)
Certificate  : 3082057e30820466a0030201020212030e2782075e8f90f5... (id-at-commonName=multi.zeall.us)
Certificate1 : 308204923082037aa00302010202100a0141420000015385... (id-at-commonName=Let's Encrypt Authority
               X3,id-at-organizationName=Let's Encrypt,id-at-countryName=US)
Certificate2 :
Certificate3 :