LabEx
Log InJoin For Free

Extract Packet Fields in Tshark

WiresharkWiresharkBeginner
Practice Now

Introduction

In this lab, you will learn how to extract specific packet fields from network traffic using Wireshark's command-line tool tshark. You'll practice selecting common fields like source IP (ip.src) and TCP port (tcp.port), while mastering output formatting with -T fields and custom separators.

The exercises will guide you through packet capture, field extraction with -e flag, and data export to CSV format. You'll learn to structure output for better readability and analysis, using techniques like separator configuration with -E separator=, and output redirection.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/export_packets("Exporting Packets") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/export_packets -.-> lab-548927{{"Extract Packet Fields in Tshark"}} wireshark/packet_analysis -.-> lab-548927{{"Extract Packet Fields in Tshark"}} wireshark/commandline_usage -.-> lab-548927{{"Extract Packet Fields in Tshark"}} end

Select Fields with -e ip.src -e tcp.port

In this step, you will learn how to extract specific fields from network packet captures using Wireshark's command-line tool tshark. Network packets contain many different pieces of information, and often we only need to look at specific fields for our analysis. Here, we'll focus on two important fields: the source IP address (ip.src) which tells us where the packet came from, and the TCP port number (tcp.port) which identifies the specific service or application being used.

First, we need some sample network traffic to work with. The following command will generate simple web traffic that we can capture:

curl -s http://example.com > /dev/null

Now, let's capture this traffic using tshark. The command below will capture 10 packets and save them to a file called sample.pcap. The .pcap format is standard for storing network traffic captures:

tshark -c 10 -w sample.pcap

With our capture file ready, we can now extract just the fields we're interested in. The following command reads the capture file and outputs only the source IP addresses and TCP ports:

tshark -r sample.pcap -T fields -e ip.src -e tcp.port

Let's break down what each part of this command does:

  • -r sample.pcap tells tshark to read from our captured file
  • -T fields specifies that we want the output in field format (as opposed to other formats like XML or JSON)
  • -e ip.src selects the source IP address field
  • -e tcp.port selects the TCP port field

The output will appear as tab-separated values, with each line representing a packet and showing first the source IP, then the port number:

192.168.1.1    443
192.168.1.2    80

To make this easier to work with, we can save the output to a file. This is particularly useful when dealing with large captures or when we want to process the data further:

tshark -r sample.pcap -T fields -e ip.src -e tcp.port > temp.txt
cat temp.txt

The > symbol redirects the output to a file, and cat lets us view the contents of that file. This approach gives us a permanent record of our filtered data that we can reference later or analyze with other tools.

Set Output to Fields with -T fields

In this step, we'll explore how to customize tshark's output to display only the specific packet fields we need. The -T fields option transforms the default packet display into a structured format that's easier to process and analyze.

When you first run tshark without any field specifications, it shows a comprehensive but sometimes overwhelming view of each packet:

tshark -r sample.pcap -c 3

This default view includes all available packet details. However, for focused analysis, we often need just a few key pieces of information. That's where field extraction comes in. The following command demonstrates how to select specific fields:

tshark -r sample.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.port

Let's break down what each part of this command does:

  • -T fields tells tshark we want field-based output instead of the default packet summary
  • -e frame.number extracts the packet's position in the capture file
  • -e ip.src shows where the packet came from (source IP)
  • -e ip.dst shows where the packet is going (destination IP)
  • -e tcp.port reveals which network port is being used

The result is clean, tab-separated output that looks like this:

1    192.168.1.1    192.168.1.2    443
2    192.168.1.2    192.168.1.1    80

This format is particularly useful when you need to process the data further or import it into other tools. If you're unsure what fields are available or need to verify field names, you can search the complete list:

tshark -G fields | grep -E 'ip.src|ip.dst|tcp.port'

This command helps you discover all related fields for IP addresses and TCP ports that you might want to include in your analysis.

Use Comma Separator with -E separator=

In this step, we'll learn how to change the field separator in tshark output from tabs to commas. This modification is particularly useful when you need to import the data into spreadsheet applications like Excel or analyze it with tools that expect CSV (Comma-Separated Values) format.

First, let's revisit the basic command we used earlier that produces tab-separated output. This helps us understand what we're changing:

tshark -r sample.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.port -c 3

To convert this output to CSV format, we'll use the -E option with separator=,. This tells tshark to use commas instead of tabs between fields:

tshark -r sample.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.port -E separator=, -c 3

Let's break down what each part of this command does:

  • -E separator=, is the key addition that changes the separator to a comma
  • All other options (-r, -T fields, -e fields, -c) work exactly as before
  • The order of options doesn't matter as long as they're all present

After running this command, you'll see output formatted like this:

1,192.168.1.1,192.168.1.2,443
2,192.168.1.2,192.168.1.1,80
3,192.168.1.3,192.168.1.4,22

To confirm the separator has actually changed to commas (especially useful if you can't visually distinguish tabs from spaces), you can pipe the output to od -c which shows special characters:

tshark -r sample.pcap -T fields -e frame.number -e ip.src -E separator=, -c 1 | od -c

This verification step helps ensure your output will be properly interpreted by CSV readers, which is crucial when preparing data for analysis in other tools.

Export to File with > fields.csv

In this step, we'll learn how to save the extracted packet data into a CSV (Comma-Separated Values) file. CSV is a simple file format that stores tabular data in plain text, making it perfect for analysis in spreadsheet applications or data processing tools. By saving our packet data to a file, we create a permanent record that can be shared, analyzed, or processed later.

Let's combine everything we've learned so far into a single command that extracts multiple packet fields and saves them to a file:

tshark -r sample.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.port -E separator=, > fields.csv

Here's what each part does:

  • -r sample.pcap reads our packet capture file
  • -T fields tells Tshark we want field output
  • Each -e flag specifies a field to extract (packet number, source IP, destination IP, and port)
  • -E separator=, sets the comma as our field separator
  • > fields.csv redirects the output to a file instead of showing it on screen

After running this command, let's check if our file was created properly:

ls -l fields.csv
head fields.csv

The ls -l command shows file details, while head displays the first few lines. Your output should look something like this:

1,192.168.1.1,192.168.1.2,443
2,192.168.1.2,192.168.1.1,80
3,192.168.1.3,192.168.1.4,22

To make this data more understandable, we can add column headers. Here's how to create a new file with headers and combine it with our data:

echo "Packet,Source,Destination,Port" > headers.csv
cat headers.csv fields.csv > final.csv
mv final.csv fields.csv

This creates a new version of our CSV file with descriptive headers at the top, making it much easier to work with the data in spreadsheet applications.

Summary

In this lab, you have learned how to extract specific packet fields using Wireshark's command-line tool tshark. The exercises covered selecting fields with -e flag, formatting output with -T fields, and saving results to files for analysis.

You also practiced combining multiple fields like frame.number, ip.src, and tcp.port into structured outputs. These techniques enable efficient transformation of raw packet data into organized formats suitable for network troubleshooting.

Related Wireshark Courses
Quick Start with Wireshark

Quick Start with Wireshark

Cybersecurity
Beginner