pcap-processor
A CLI tool for extracting and summarizing information from pcap files. Wraps tshark (Wireshark's CLI) to leverage full Wireshark display filter support.
Installation
Prerequisites
- tshark (Wireshark CLI) must be installed:
- macOS:
brew install wireshark - Ubuntu/Debian:
apt install tshark - RHEL/Fedora:
dnf install wireshark-cli
- macOS:
Build from source
The binary will be at ./target/release/pcap-processor.
Usage
unique - Extract unique field values
# Basic usage - extract unique source IPs
# Multiple files or glob patterns
# With display filter
# Include occurrence counts
# Sort by count (descending)
# Output as JSON
# Output as CSV
# Disable name resolution (faster)
Options
| Option | Description |
|---|---|
-f, --filter <FILTER> |
Wireshark display filter |
-F, --format <FORMAT> |
Output format: plain (default), json, csv |
-c, --count |
Include occurrence counts |
-s, --sort <ORDER> |
Sort by: value (default), count |
-n, --no-resolve |
Disable name resolution |
--tshark <PATH> |
Custom tshark path (or set PCAP_PROCESSOR_TSHARK env var) |
Example Output
Plain (default):
192.168.1.1
192.168.1.100
10.0.0.1
Plain with counts:
150 192.168.1.1
45 192.168.1.100
12 10.0.0.1
JSON:
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 2 | tshark not found |
| 3 | Input error (file not found, no files matched) |
| 4 | Syntax error (invalid field or filter) |
| 5 | tshark execution error |
License
MIT