1

I have a 1.5Gb capture of small UDP packets that I would like to turn into a CSV with just timestamp and UDP payload data in hex format.

An example of the desired output would be as follows:

% head Data3.txt 
0.000000,0000000041000000005ec812ac00047dce00000000
0.000194,0000000042000000005ec812ac00047db500000000
0.000227,0000000041000000005ec812ac00047dce00000000
0.000619,0000000042000000005ec812ac00047db500000000
0.000663,0000000041000000005ec812ac00047dce00000000
0.000854,0000000042000000005ec812ac00047db500000000
0.000883,0000000041000000005ec812ac00047dce00000000

I do not need this exact format, just a format that can later be transformed into this data (in this case they are 21 bytes length UDP packets).

I am struggling to achieve this with tcpdump without success, so I have found that tshark can do the job:

  tshark -r May31Jun5.pcap -t r -T fields -e frame.time -e data

That command gives the delta time and payload as required (see below excerpt).

Jun  1, 2020 00:02:27.567001000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567014000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567028000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567042000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567056000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567066000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567106000 CEST    0000000054000000005ed4297300049fb100000001
Jun  1, 2020 00:02:27.567124000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567137000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567152000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:28.095487000 CEST    0000000041000000005ed4297300049fe300000000

However I would like to have just seconds with decimals, so instead of:

Jun  1, 2020 00:02:28.095487000

It would be:

148.095487000

How can I achieve that? I guess it is possible because the GUI version of Wireshark display that value.

M.E.
  • 124
  • 10
  • Does this help?: [How do I make tcpdump not print the tcp headers?](https://serverfault.com/q/206734/274176) – Esa Jokinen Jun 07 '20 at 10:43
  • I have tried to pipe the content of the pcap tcpdump captured file into tcpflow `tcpdump -r May31Jun5.pcap -l -w - | tcpflow -C -r -` but it gives nothing. Reading tcpflow man page I suspect it only works for TCP, could that be the case? – M.E. Jun 07 '20 at 10:51
  • 1
    I learnt here (https://osqa-ask.wireshark.org/questions/38818/see-udp-data-with-tshark) that `tshark -r dns.cap -T fields -e data` gives the payload. Now I just need to add the delta timestamp. Any tip for that is welcomed. (I did not know Wireshark has a command line utility) – M.E. Jun 07 '20 at 10:55
  • I have edited the question including the last findings. Now I just need to format the delta timestamp into a pure seconds elapsed since beginning value. – M.E. Jun 07 '20 at 11:43

2 Answers2

2

To get a CSV-style output for simple fields, you can use the -T fields option with tshark, combined with the -E separator=, option to use commas as separator as opposed to tabs.

Next, to figure out what kind of field names to use, check the status bar in the GUI for a selected field, or use tshark -T pdml -r some.pcap for example, or tshark -G fields for a full list of supported fields.

For columns, you can use the special _ws.col.<name> field. For example, _ws.col.Time.

Combining this information, you can use something like:

tshark -r your.pcap -Tfields -Eseparator=, -eframe.time_relative -edata > your.csv

Bonus information:

  • If a UDP (e.g. DNS) consumes the UDP payload, the data field will be empty. Add the --disable-protocol dns to avoid that.
  • In the current development version, a new udp.payload option has been added which should avoid the previous option. (commit v3.3.0rc0-250-gf04475167a)
  • If for some reason a field occurs multiple times, it will be output, separated by commas. You can use the -E occurence=1 option to limit the results to the first value only.
  • For more details about these options, see the tshark manual page.
Lekensteyn
  • 6,111
  • 6
  • 37
  • 55
  • Thanks, excellent and very complete answer and it includes tips I was not aware of. – M.E. Jun 07 '20 at 20:07
0

EDIT: This is so far what I have done. I can either get one field or another, but not both.

To get timestamp delta:

tshark -r May31Jun5.pcap -o 'gui.column.format:"Time","%t"' > May31Jun5.time.csv
...
262.625098
262.625148
262.625237
262.625762
262.625781
262.625800
262.626037
262.626050
262.626206
262.626232
262.626455
262.626679
...

To get data payload:

tshark -r May31Jun5.pcap -Tfields -e data > May31Jun5.data.csv
...
0000000041000000005ed428ff0004a04700000000
0000000042000000005ed428ff0004a02e00000000
0000000054000000005ed428ff0004a02e00000002
0000000054000000005ed428ff0004a01500000002
0000000041000000005ed428ff0004a04700000000
0000000042000000005ed428ff00049ffc00000000
0000000041000000005ed428ff0004a04700000000
0000000042000000005ed428ff0004a01500000000
0000000054000000005ed428ff0004a01500000001
0000000041000000005ed428ff0004a04700000000
0000000042000000005ed428ff0004a01500000000
0000000054000000005ed428ff0004a01500000001
0000000041000000005ed428ff0004a04700000000
0000000042000000005ed428ff00049ffc00000000
0000000054000000005ed428ff0004a04700000002
0000000041000000005ed428ff0004a04700000000
0000000042000000005ed428ff00049ffc00000000
0000000041000000005ed428ff0004a04700000000
...

Then in UNIX you can easily mix both with paste:

paste -d',' May31Jun5.time.csv May31Jun5.data.csv | sed 's/^ *//g' > May31Jun5.csv

How to geth both a the same time with tshark? No Idea.

M.E.
  • 124
  • 10