pcap文件（pcap文件格式）

-r

指定要分析的.pcap文件

-T fields 说明要对.pcap文件重的fields进行提取

-e

filed_name

制定要提取的fields的名字，按照-e的先后顺序，不同的field按列顺序的排列在.csv文件中。

各种field名称可以从wireshark的网站上查询，主要有TCP协议的fileds，IP协议的fields，UDP协议的fields，HTTP协议。

-E

指定输出field的格式，包括如下格式：

• header=y|n If y, print a list of the field names given using -e as the first line of the output; the field name will be separated using the same character as the field values. Defaults to n.
  • separator=/t|/s| Set the separator character to use for fields. If /t tab will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.
    • occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).
      • aggregator=,|/s| Set the aggregator character to use for fields that have multiple occurrences. If , a comma will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.
        • quote=d|s|n Set the quote character to use to surround fields. d uses double-quotes, s single-quotes, n no quotes (the default).