0

I am interested in particular information in the .pcap (Frame control field). I want to extract it to a text file and then do graph plotting using the extracted data. I can do export to text file using wireshark but I am looking for automating the process.

As of now I know that Tshark can be used to convert .pcap to text files but then it outputs the whole packet. Instead I am interested in only one particular information.

Is there some nice way to do this.

Aman Deep Gautam
  • 8,091
  • 21
  • 74
  • 130

1 Answers1

2

Is there some nice way to do this.

Could be.

If the field you wish to extract has a filter, the you can use tshark to output just that field using the -T and -e switches;

tshark -Tfields -e tcp.port -r ....

See tshark -h for details...

To use wireshark to see the name for a field, click on the field in the details pane and then note the field name shown in the bottom status bar.

Which field(s) specifically do you want ? from what protocol ?

willyo
  • 961
  • 7
  • 9
  • I will look into it. I have a .pcap file of `802.11` packets and want to extract frame control information. – Aman Deep Gautam Feb 08 '13 at 09:37
  • 1
    The 802.11 Frame Control field is called `wlan.fc`, so try `tshark -Tfields -e wlan.fc -r ....`. –  Feb 09 '13 at 04:39