tags:

views:

388

answers:

3

Hi everyone. I am trying to automate a repetitive manual process for which I use WireShark:

1) Load a given pcap file

2) Apply a simple filter for a given protocol

3) Use the export dialog box to export the displayed packets to CSV file

4) Use the export dialog box to export the displayed packets in XML PDML form.

This is tedious, and requires human involvement in the middle of a process that is mostly automated (including the analysis of the files to produce reports).

Is there some way to either automate Wireshark, or do somehow access the underlying libraries used for export?

UPDATE: As several people here indicated, TShark turns out to be the way to go. The exact command line I ended up using is:

tshark -r MyDataFile.pcap -T pdml -R MyProtocol > MyOutputFile.xml\

I then use an event based XML parser (Python's expat) to parse the generated 2GB file

+1  A: 

I haven't ever tried to automate Wireshark before, though I have had to do something similar to what you describe. I ended up reducing the handful of human (and thus error-prone) steps to one step that was automated.

Autohotkey is my solution for lots of repetitive GUI-based tasks. You can very easily write a keystroke playback script that will do all of the above steps. You'll probably have to have it increment the filename for you automatically. You could also have your other automated tool kick off the Autohotkey script with a keystroke.

Dave
A: 

I think what you should do is look into tshark. That is the linux command line version, which will allow exactly what you ask for (assuming you have access to it). And of course, this assumes that it is acceptable to run tshark and then review the outputs manually.

MJB
+1  A: 

I watched at the dependency list of wireshark on my debian system, and I found Tshark: it's the command line version of wireshark.

It seems interesting, but I didn't read the manual yet, however it's for sure more script friendly.

Also I'll stay tuned on this thread and post more info when I'll start using it.

Dacav
Ok, it's awesome. You can extract the field you want and provide both pcap filtering and wireshark display filtering. The output is pushed on the stdout, therefore you can easily script it out.
Dacav