First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark: get packet numbers of exported HTTP objects

I am trying to obtain the associated packet numbers, and source and destination IPs of each exported object obtained from tshark. I am currently using a command like

tshark -r trace.pcap --export-objects "http,/tmp/"

which, of course, just gives the filenames as they appeared in the capture. I saw this other question for DICOM objects (https://ask.wireshark.org/question/15...), which gives the packet number in the exported filename, but I don't know if this is available currently for HTTP.

I am considering something like doing further parsing of the pcap to search for HTTP GET of the files in question and the associated 200 OK responses, but I don't know if that is a good way of doing this (I can think of a problem with this off the top of my head if multiple files have the same filename like favicon.ico).

pptenshi's avatar
1
pptenshi
asked 2020-06-17 16:02:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

There was a proposed patch that wasn't accepted.

The patch adds packet number to the filename and changes the extention according to the Content-Type.

Might be worth opening an enhancement request in Bugzilla

Until then looks like a programming/scripting exercise to get your data.

Chuckc's avatar
3k
Chuckc
answered 2020-06-17 19:27:02 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The referenced change was more about solving the issue of illegal characters when converting the URL path to a filename, and using the packet number was one option that wasn't really considered in the later work.

I think this does warrant an enhancement request.

@pptenshi, post a comment back here with the enhancement request link so that others looking for the answer to this question can follow it up.

grahamb's avatar grahamb (2020-06-17 19:50:19 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer