Converting Pcap file to CSV file while defautly keeping all features/fields defined in pcap

0
votes

I have been searching for libraries that can transform PCAP files to CSV format while keeping all the details defined in the pcap file, without explicitly defining which features/fields that i want to include in CSV format.

I have tested tools such as Wireshark, tshark, and tcpdump, but I think for all of them that I have to manually specify the list of features/columns that to be included in my data. Is there a way that I can transform pcap file to csv file and keep all pcap details by default without having to manually listing all the features to include in csv?

Edit to add Code Example: 

$ tshark -r traffic.pcap > traffic.csv
$ tshark -r traffic.pcap -T fields -e ip.src -E separator=, \
    -E occurrence=f > traffic.csv

In any case, the traffic.csv contains only general information (e.g., No., Time, Source, Destination, Length, Protocol, Info) of the traces without any packet detail. Is there a way I can also have the the details of each packet in the csv file?

Any kind insight is greatly appreciated.

1
bashcsvwiresharkpcaptshark
Can you post what code/script you have so far?Ross Jacobs
Added a code example.Artemis1216
What kind of packet details are you looking for? Note that tshark -T json can be used to get ALL the data. If you're not happy with just using -e ip.src, why not include more fields to save with additional -e <field>?Ross Jacobs

1 Answers

0
votes

The first of those won't work, as you haven't told it to write anything looking like CSV; it'll print the columns in a form intended for people to read.

The second of those does work, but you have to explicitly specify, with -e flags, which particular fields you want; you can't just get "all fields". To quote my answer to the same question, asked on the Wireshark Q&A site:

It's not clear that the concept of a CSV of all fields is well-defined.

A row of a CSV file is just a Comma-Separated sequence of Values; there are no tags to indicate what the values are values of. A CSV row, containing the values of all the fields in a packet, would just be a sequence of values, with no indication what those values signify - and not all rows would have the same number of values.

If you used the first row as a table of field names, to solve that problem, that would require that the first row have the name of each field that appears in a packet in the file, and that elements in subsequent rows may be empty (if the fed in question isn't in the packet corresponding to that row). It might also require either that a field name may appear more than once in the first row, to handle packets with more than one instance of a field.

There is currently no code in Wireshark to do that.