.pcap文件是二进制格式的网络轨迹（Network trace）文件，记录了网络通信过程的数据包信息。csv(comma separated values)是一种用逗号','分隔的文本文件，类似于excel文件。

.pcap文件是二进制文件，需要从中提取信息并以csv的格式进行存储。可以使用tshark实现对.pcap文件进行分析。

例如，从.pcap文件中提取数据包的mac地址、ip地址、TCP/UDP等可以用以下命令。
tshark -r test.pcap -T fields -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -E header=y -E separator=, -E quote=d -E occurrence=f > test.csv

-r 指定要分析的.pcap文件
-T fields 说明要对.pcap文件重的fields进行提取
-e filed_name 制定要提取的fields的名字，按照-e的先后顺序，不同的field按列顺序的排列在.csv文件中。
各种field名称可以从wireshark的网站上查询，主要有TCP协议的fileds，IP协议的fields，UDP协议的fields，HTTP协议。
-E 指定输出field的格式，包括如下格式：

• header=y|n If y, print a list of the field names given using -e as the first line of the output; the field name will be separated using the same character as the field values. Defaults to n.

• separator=/t|/s| Set the separator character to use for fields. If /t tab will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.

• occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).

• aggregator=,|/s| Set the aggregator character to use for fields that have multiple occurrences. If , a comma will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.

• quote=d|s|n Set the quote character to use to surround fields. d uses double-quotes, s single-quotes, n no quotes (the default).