Hi,
I have a PCAP file with packets using CBSP, SABP and SBcAP protocols I´d like to export these packets to readable text file with the content and all atributes to be able to read this information in a application. I´ll developp the application
How to do this ? I saw it's possible to use WireShark in command line
A PCAP file is available here : https://wetransfer.com/downloads/b530...
Thank you for your help
You can use tshark to do this. For example:
tshark -r test.pcap -Y 'cbsp or sabp or sbcap' -O cbsp,sabp,sbcap -T json
Options: -r to read the file, -Y for display filter, -O output only listed protocol, -T (optional) select output format.
See documentation at: https://www.wireshark.org/docs/man-pa...
You can redirect the output to a file or run tshark as a sub-process in your application and process its output directly.
Thank you Andre for your answer. After few tests, pdml format is easier to manage in my application but I have few issues : With these 2 options together
-Y 'cbsp or sabp or sbcap' -O cbsp,sabp,sbcap,
I have an error saying the format is indicated twice. I kept only "-O cbsp,sabp,sbcap" but the filter is not working so I have very big pdml files. If I keep only -Y 'cbsp or sabp or sbcap', the generated PDML file is empty.
How to solve it ?
I think you are using the command prompt on Windows. In that case use double-quotes for strings:
tshark -r test.pcap -Y "cbsp or sabp or sbcap" -O cbsp,sabp,sbcap -T pdml
The Windows command prompt treats a single quote as a regular character, so the next "or" is read by tshark as an additional command-line argument instead of part of the display filter. Single quotes can be used in PowerShell and on Mac/Linux (bash).
By the way: for testing it may be handy to limit te output of tshark by using the -c option. For example adding -c 1000 means "stop reading after 1000 packets" or replace -Y by -c10 -2R to output only the first 10 packets that match the filter.
Comments