Python formatting issue when output to csv

1
votes

I am using tshark in python3 script to capture packets and write the output to .csv file.

The below line of code works fine, and correctly splits the fields into columns in the .csv file using the ',' as a seperator.

tsharkCall = ["tshark", "-r", pcap, "-T", "fields", "-e", "frame.number", "-e", "_ws.col.Time", "-e", "_ws.col.Source", "-e", "_ws.col.Destination", "-e", "_ws.col.Protocol", "-e", "_ws.col.Length", "-e", "_ws.col.Info", "-E", "header=y", "-E", "separator=,", "-E", "quote=d", "-E", "occurrence=f"]
tsharkOut = open(csv, "wb")
call(tsharkCall, stdout=tsharkOut)

I would however like the field (column) headers to match those that wireshark would output by default when saving as a .csv

I therefore found the below on the internet

tsharkCall = ["tshark", "-r", pcap, "-o", "gui.column.format:", "No.","%m","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i", "-E", "header=y", "-E", "separator=,", "-E", "quote=d", "-E", "occurrence=f"]

However when I run the above amended code, I get the below error

tshark: Invalid -o flag "gui.column.format:"

Incidently if I run the tshark command from a terminal, it creates the csv file but all fields are put into a single cell, and not seperated by a ',' So I know tshark is working, it is just the seperator is not getting applied.

tshark -o 'gui.column.format:"No.","%m","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i"' > tst.csv
1
python-3.xtshark
Is it really just an issue of headers? Can't you print() the first line of headers manually? Or maybe you're asking by curiosity? On my system, with tshark v2.2.6, tshark -o 'column.format:' doesn't output any headers anyway; not sure what the column name are for :-/pchaigno
Yes I would like to use the gui headers. The reason being I have another script which runs afterwards that uses them.Bat
But why isn't printing them before call(...) an option?pchaigno
@pchaigno I couldn't get that to work. Maybe my code was incorrect. Plus the gui.column.format method should be able to work, I just can't figure it outBat

1 Answers

0
votes

You need to remove -E header=y from the tshark command and write your own header to the file:

from subprocess import call
tsharkCall = ["tshark", "-r", pcap, "-T", "fields", "-e", "frame.number", "-e", "_ws.col.Time", "-e", "_ws.col.Source", "-e", "_ws.col.Destination", "-e", "_ws.col.Protocol", "-e", "_ws.col.Length", "-e", "_ws.col.Info", "-E", "separator=,", "-E", "quote=d", "-E", "occurrence=f"]
with open(csv, "a") as tsharkOut:
    tsharkOut.write("No.,Time,Source,Destination,Protocol,Length,Info\n")
    tsharkOut.flush()
    call(tsharkCall, stdout=tsharkOut)