System Administration & Network Administration
tcpdump tshark
Updated Sun, 10 Jul 2022 12:33:57 GMT

Display delta timestamp and UDP data payload with tcpdump/tshark


I have a 1.5Gb capture of small UDP packets that I would like to turn into a CSV with just timestamp and UDP payload data in hex format.

An example of the desired output would be as follows:

% head Data3.txt 
0.000000,0000000041000000005ec812ac00047dce00000000
0.000194,0000000042000000005ec812ac00047db500000000
0.000227,0000000041000000005ec812ac00047dce00000000
0.000619,0000000042000000005ec812ac00047db500000000
0.000663,0000000041000000005ec812ac00047dce00000000
0.000854,0000000042000000005ec812ac00047db500000000
0.000883,0000000041000000005ec812ac00047dce00000000

I do not need this exact format, just a format that can later be transformed into this data (in this case they are 21 bytes length UDP packets).

I am struggling to achieve this with tcpdump without success, so I have found that tshark can do the job:

  tshark -r May31Jun5.pcap -t r -T fields -e frame.time -e data

That command gives the delta time and payload as required (see below excerpt).

Jun  1, 2020 00:02:27.567001000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567014000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567028000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567042000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567056000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567066000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567106000 CEST    0000000054000000005ed4297300049fb100000001
Jun  1, 2020 00:02:27.567124000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567137000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567152000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:28.095487000 CEST    0000000041000000005ed4297300049fe300000000

However I would like to have just seconds with decimals, so instead of:

Jun  1, 2020 00:02:28.095487000

It would be:

148.095487000

How can I achieve that? I guess it is possible because the GUI version of Wireshark display that value.

Solution

To get a CSV-style output for simple fields, you can use the -T fields option with tshark, combined with the -E separator=, option to use commas as separator as opposed to tabs.

Next, to figure out what kind of field names to use, check the status bar in the GUI for a selected field, or use tshark -T pdml -r some.pcap for example, or tshark -G fields for a full list of supported fields.

For columns, you can use the special _ws.col.<name> field. For example, _ws.col.Time.

Combining this information, you can use something like:

tshark -r your.pcap -Tfields -Eseparator=, -eframe.time_relative -edata > your.csv

Bonus information:

  • If a UDP (e.g. DNS) consumes the UDP payload, the data field will be empty. Add the --disable-protocol dns to avoid that.
  • In the current development version, a new udp.payload option has been added which should avoid the previous option. (commit v3.3.0rc0-250-gf04475167a)
  • If for some reason a field occurs multiple times, it will be output, separated by commas. You can use the -E occurence=1 option to limit the results to the first value only.
  • For more details about these options, see the tshark manual page.

Comments (1)

  • +0 – Thanks, excellent and very complete answer and it includes tips I was not aware of. — Jun 07, 2020 at 20:07  

External Links

External links referenced by this document:

References