tshark를 통해 csv 형식으로 출력하기

pcap 파일을 csv 형식으로 출력해서 엑셀로 봐야 할 때가 있다.

csv 형식으로 출력해보자.

 

tskark -r file.pcap -T fields -E separator=, -E quote=d -E header=y -e ip.src -e ip.dst

 

위와 같은 형식으로 하면 출발지IP와 목적지IP가 csv 형식으로 출력된다.

-T fields : 출력할 필드를 설정할 수 있다.

-E separator=, : 필드 간 구분자를 ','를 사용하다는 의미

-E quote=d :필드를 double quote를 감싼다는 의미, 's'로 입력하면 single quote

-E header=y : 맨 위에 해당 필드명을 출력한다는 의미

 

텍스트로 저장하고자 한다면 출력 재지정하면 된다.

 

 

 

-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
Set the format of the output when viewing decoded packet data. The options are one of:

pdml Packet Details Markup Language, an XML-based format for the details of a decoded packet. This information is equivalent to the packet details printed with the -V flag.

psml Packet Summary Markup Language, an XML-based format for the summary information of a decoded packet. This information is equivalent to the information shown in the one-line summary printed by default.

ps PostScript for a human-readable one-line summary of each of the packets, or a multi-line view of the details of each of the packets, depending on whether the -V flag was specified.

text Text of a human-readable one-line summary of each of the packets, or a multi-line view of the details of each of the packets, depending on whether the -V flag was specified. This is the default.

fields The values of fields specified with the -e option, in a form specified by the -E option. For example,

  -T fields -E separator=, -E quote=d
would generate comma-separated values (CSV) output suitable for importing into your favorite spreadsheet program.

 

        "fields"  The values of fields specified with the -e option, in a form
                  specified by the -E option.
        "pdml"    Packet Details Markup Language, an XML-based format for the
                  details of a decoded packet. This information is equivalent to
                  the packet details printed with the -V flag.
        "ps"      PostScript for a human-readable one-line summary of each of
                  the packets, or a multi-line view of the details of each of
                  the packets, depending on whether the -V flag was specified.
        "psml"    Packet Summary Markup Language, an XML-based format for the
                  summary information of a decoded packet. This information is
                  equivalent to the information shown in the one-line summary
                  printed by default.
        "json"    Packet Summary, an JSON-based format for the details
                  summary information of a decoded packet. This information is 
                  equivalent to the packet details printed with the -V flag.
        "jsonraw" Packet Details, a JSON-based format for machine parsing
                  including only raw hex decoded fields (same as -T json -x but
                  without text decoding, only raw fields included). 
        "ek"      Packet Details, an EK JSON-based format for the bulk insert 
                  into elastic search cluster. This information is 
                  equivalent to the packet details printed with the -V flag.
        "text"    Text of a human-readable one-line summary of each of the
                  packets, or a multi-line view of the details of each of the
                  packets, depending on whether the -V flag was specified.
                  This is the default.
        "tabs"    Similar to the text report except that each column of the
                  human-readable one-line summary is delimited with an ASCII
                  horizontal tab character.

 

 

-e <field>
Add a field to the list of fields to display if -T fields is selected. This option can be used multiple times on the command line. At least one field must be provided if the -T fields option is selected. Column names may be used prefixed with "col."

Example: -e frame.number -e ip.addr -e udp -e col.info

Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field. Fields are separated by tab characters by default. -E controls the format of the printed fields.

-E <field print option>
Set an option controlling the printing of fields when -T fields is selected.

Options are:

header=y|n If y, print a list of the field names given using -e as the first line of the output; the field name will be separated using the same character as the field values. Defaults to n.

separator=/t|/s|<character> Set the separator character to use for fields. If /t tab will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.

occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).

aggregator=,|/s|<character> Set the aggregator character to use for fields that have multiple occurrences. If , a comma will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.

quote=d|s|n Set the quote character to use to surround fields. d uses double-quotes, s single-quotes, n no quotes (the default).

 

참조 : http://www.wireshark.org/docs/man-pages/tshark.html

 

 

tshark - The Wireshark Network Analyzer 1.10.pdf

다운로드