Wireshark-users: [Wireshark-users] tshark export “Frame Check Sequence” field

From: jem last <jlast20@xxxxxxxxx>
Date: Thu, 3 Jun 2010 22:34:32 +0100

Hi,

I have a trace that carries information that I need to process in the Ethernet II Subtree, that are the “Trailer” and the “Frame Check Sequence” fields.

When using “tshark” to export to a CSV file, I’m being able to export all the additional data I need, but from the two filed indicate before, only “Trailer” it’s possible to export because it’s the only one that can be characterized by a filter (“eth.trailer”). For the “Frame Check Sequence” there is no filter available and so there is no possibility to identify the tshark option “-e” with it.

The tshark options I’m using are the following, where the “Frame Check Sequence” is missing because the filter impossibility, is the follwoing:

tshark -r http_testfile.pcap -T fields -e frame.number -e frame.date -e frame.time -e frame.time_delta -e frame.len -e vlan.id -e ip.proto -e ip.src -e ip.dst -e ip.dsfield -e ip.dsfield.dscp -e ip.flags -e ip.frag_offset -e ip.ttl -e ip.len -e tcp.stream -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.hdr_len -e tcp.ack -e tcp.window_size -e tcp.analysis.ack_rtt -e tcp.analysis.acks_frame -e tcp.analysis.lost_segment -e data.len -e tcp.flags -e tcp.options.mss_val -e eth.trailer -E header=y -E separator=";" >  http_testfile.csv

There is an option where tshark export the “Frame Check Sequence”, but this is a PDML file will al the packets extended information, so I need to create a parser to remove the packet number and the correspondent “Frame Check Sequence” to be able to correlated it with the previous CSV file, and include a new column with the “Frame Check Sequence” values.

tshark -r http_testfile.pcap -T pdml > http_testfile.txt

Output example:

<field name="" show="Frame check sequence: 0x1b6e5da0(…)>

Do you know any way to collect the “Frame Check Sequence” field to a CSV file?

Thanks in advanced.

Pedro