Skip to content

Instantly share code, notes, and snippets.

@shahifaqeer

shahifaqeer/tshark_extract.sh

Last active June 7, 2017 17:03
Show Gist options
  • Save shahifaqeer/05e6ec46be13a1aa932655fcda30e04a to your computer and use it in GitHub Desktop.
Save shahifaqeer/05e6ec46be13a1aa932655fcda30e04a to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. shahifaqeer revised this gist Jun 7, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion tshark_extract.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,7 @@
    # tshark -r file.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -Y "dns.flags.response eq 0" > file.csv
    #!/bin/bash

    # editcap -i 3600 dns_all_20170124_20170130.pcap split_20170124_20170130/split_hour.pcap
    # tshark -r file.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -Y "dns.flags.response eq 0" > file.csv

    date=$1 #20170124_20170130 or 20170207_20170212
    for filename in split_$date/*.pcap; do
  2. shahifaqeer revised this gist Jun 7, 2017. 1 changed file with 5 additions and 3 deletions.
    8 changes: 5 additions & 3 deletions tshark_extract.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,8 +1,10 @@
    # tshark -r file.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -Y "dns.flags.response eq 0" > file.csv

    #!/bin/bash

    # editcap -i 3600 dns_all_20170124_20170130.pcap split_20170124_20170130/split_hour.pcap

    date=$1 #20170124_20170130 or 20170207_20170212
    for filename in split_$date/*.pcap; do
    echo "extract $filename to tshark_$date"
    tshark -r "$filename" -E separator="|" -T fields -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -Y "dns.flags.response eq 0" > "tshark_$date/$(basename "$filename" .pcap).csv"
    echo "extract $filename to tshark_$date"
    tshark -r "$filename" -E separator="|" -T fields -e frame.time_epoch -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -e dns.qry.type -Y "dns.flags.response eq 0" > "tshark_$date/$(basename "$filename" .pcap).csv"
    done
  3. shahifaqeer revised this gist Mar 1, 2017. 2 changed files with 8 additions and 1 deletion.
    1 change: 0 additions & 1 deletion dnsquery_extract
    View file
    Original file line number Diff line number Diff line change
    @@ -1 +0,0 @@
    tshark -r file.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -Y "dns.flags.response eq 0" > file.csv
    8 changes: 8 additions & 0 deletions tshark_extract.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,8 @@
    # tshark -r file.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -Y "dns.flags.response eq 0" > file.csv

    #!/bin/bash
    date=$1 #20170124_20170130 or 20170207_20170212
    for filename in split_$date/*.pcap; do
    echo "extract $filename to tshark_$date"
    tshark -r "$filename" -E separator="|" -T fields -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -Y "dns.flags.response eq 0" > "tshark_$date/$(basename "$filename" .pcap).csv"
    done
  4. shahifaqeer created this gist Feb 16, 2017.
    1 change: 1 addition & 0 deletions dnsquery_extract
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1 @@
    tshark -r file.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst -e dns.qry.name -Y "dns.flags.response eq 0" > file.csv