tags:

views:

388

answers:

3
+2  Q: 

Is there a way to programatically export files using Wireshark's facilities?

Hi everyone. I am trying to automate a repetitive manual process for which I use WireShark:

1) Load a given pcap file

2) Apply a simple filter for a given protocol

3) Use the export dialog box to export the displayed packets to CSV file

4) Use the export dialog box to export the displayed packets in XML PDML form.

This is tedious, and requires human involvement in the middle of a process that is mostly automated (including the analysis of the files to produce reports).

Is there some way to either automate Wireshark, or do somehow access the underlying libraries used for export?

UPDATE: As several people here indicated, TShark turns out to be the way to go. The exact command line I ended up using is:

tshark -r MyDataFile.pcap -T pdml -R MyProtocol > MyOutputFile.xml\

I then use an event based XML parser (Python's expat) to parse the generated 2GB file

+1  A: 

I haven't ever tried to automate Wireshark before, though I have had to do something similar to what you describe. I ended up reducing the handful of human (and thus error-prone) steps to one step that was automated.

Autohotkey is my solution for lots of repetitive GUI-based tasks. You can very easily write a keystroke playback script that will do all of the above steps. You'll probably have to have it increment the filename for you automatically. You could also have your other automated tool kick off the Autohotkey script with a keystroke.

Dave  2010-03-09 19:56:24
A: 

I think what you should do is look into tshark. That is the linux command line version, which will allow exactly what you ask for (assuming you have access to it). And of course, this assumes that it is acceptable to run tshark and then review the outputs manually.

MJB  2010-03-09 20:28:53
+1  A: 

I watched at the dependency list of wireshark on my debian system, and I found Tshark: it's the command line version of wireshark.

It seems interesting, but I didn't read the manual yet, however it's for sure more script friendly.

Also I'll stay tuned on this thread and post more info when I'll start using it.

Dacav  2010-03-09 20:36:29
Ok, it's awesome. You can extract the field you want and provide both pcap filtering and wireshark display filtering. The output is pushed on the stdout, therefore you can easily script it out.
Dacav  2010-03-10 15:04:46

related questions

Pypcap for mac on python 2.6?
help using pcap library to sniff packets
printing sequence number of a sniffed packet
question about pcap
How to use pcap_breakloop?
How can I filter a pcap file by specific protocol using python?
uncompress gzipped HTTP message
Why ruby's(ver 1.9) pcap gem, hanging after accessing it?
Which Packet Capture Format is better?
Determining type of pcap file.
How to send pcap file packets on NIC?
How portable is the output of pcap_compile?
Using pcap in VS .NET 2003 and error C2085, C2061
how do you decrypt SSH .pcap file that uses Diffie Hellman ecryption. With public and private keys.
libpcap : No Wireless Devices detected
pcap struct pcap_pkthdr len vs caplen
PCAP Alternatives
How to read multiple pcap files >2GB?
How do I modify the destination MAC address in a packet?
How to concatenate two tcpdump files (pcap files)
Getting the number of packets in a pcap capture file?
Can libpcap reassemble TCP segments
libpcap, pcap_next_ex, and incompatible pointer types
IPv6 decoder for pcapy/impacket