Converting raw packets to text

Had a requirement to convert pcap files to text because Splunk's Sales Engineer advised me to do so before Splunk can index information from packet captures.
Tshark is the tool to fulfill this need. From Windows:

C:\Program Files\Wireshark>tshark -r c:\Forensic\network.pcap -T text > c:\Forensic\network.txt

From Ubuntu:

commandrine@bridge:~$ tshark -r network.pcap -T text > network.txt

By default, Tshark only extracts one line summaries of the packets from your packet capture. Specifying the switch "-Vx" will include packet details and Hex/ASCII information from your pcap file. A word of caution, the text output from using the "-Vx" switch will result in a text file that is exponentially larger than the original pcap.

No comments:

Post a Comment

VM for ransomware investigations

 My laundry list of tools/software useful when investigating ransomware cases.    Tor: Obviously need this to access Onion sites. Transmissi...