Hi,
I have a trace that carries information that I need to process in
the Ethernet II Subtree, that are the “Trailer” and the “Frame Check Sequence” fields.
When using “tshark” to export to a CSV file, I’m being able to
export all the additional data I need, but from the two filed indicate before,
only “Trailer” it’s possible to export because it’s the only one that can be characterized
by a filter (“eth.trailer”). For the “Frame Check Sequence” there is no filter
available and so there is no possibility to identify the tshark option “-e”
with it.
The tshark options I’m using are the following,
where the “Frame
Check Sequence” is missing because the filter impossibility, is the follwoing:
tshark -r
http_testfile.pcap -T fields -e frame.number -e frame.date -e frame.time
-e frame.time_delta -e frame.len -e vlan.id -e ip.proto -e ip.src -e ip.dst -e
ip.dsfield -e ip.dsfield.dscp -e ip.flags -e ip.frag_offset -e ip.ttl -e ip.len
-e tcp.stream -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.hdr_len -e
tcp.ack -e tcp.window_size -e tcp.analysis.ack_rtt -e tcp.analysis.acks_frame
-e tcp.analysis.lost_segment -e data.len -e tcp.flags -e tcp.options.mss_val -e eth.trailer -E header=y -E
separator=";" > http_testfile.csv
There is an option where tshark export the “Frame Check Sequence”,
but this is a PDML file will al the packets extended information, so I need to
create a parser to remove the packet number and the correspondent “Frame Check
Sequence” to be able to correlated it with the previous CSV file, and include a
new column with the “Frame Check Sequence” values.
tshark -r http_testfile.pcap -T pdml > http_testfile.txt
Output example:
<field name="" show="Frame check sequence:
0x1b6e5da0(…)>
Do you know any way to collect the “Frame Check Sequence”
field to a CSV file?
Thanks in advanced.
Pedro
