First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to capture filter by tshark http.request Of traffic

Now I use is a display filter to collect.my lan traffic is relatively large, which will lead to a large number of temporary files under / var / TMP and insufficient hard disk capacity. What I do is

tshark -i eth1 -Y http.request

The - a option cannot be added because tshark will analyze the data even if it stops collecting, and adding the - a option will cause data loss.I want to get rid of most of the irrelevant traffic directly through the capture filter so that this will not happen

hahaha's avatar
1
hahaha
asked 2020-08-03 09:10:05 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

If you're only interested in http traffic, then you could try applying a capture file of "tcp port 80", e.g.:

tshark -i eth1 -Y http.request -f "tcp port 80"

And rather than looking at the -a option, you might consider the -b and -w options instead.

cmaynard's avatar
11.1k
cmaynard
answered 2020-08-03 13:56:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I tried

tshark -i eth1 -Y http.request -f "tcp port 80"

can‘t get traffic in LAN,but with use

tshark -i eth1 -Y http.request

can get a large number of packages,like these

27240 1.171651300 1.199.192.88 → 239.255.255.250 SSDP 183 M-SEARCH * HTTP/1.1 27242 1.171831900 172.16.1.166 → 239.255.255.250 SSDP 175 M-SEARCH * HTTP/1.1 27260 1.172677600 114.239.52.120 → 1.199.195.236 HTTP 129 CONNECT my.37.com:443 HTTP/1.1 27312 1.174767500 39.107.26.95 → 106.46.4.191 HTTP 810 GET http://theta.sogoucdn.com/pc/js/fc.js... HTTP/1.1 27379 1.179422000 121.89.209.207 → 123.149.162.126 HTTP 185 CONNECT h5api.m.taobao.com:443 HTTP/1.1 27561 1.189019800 61.190.171.130 → 1.199.195.236 HTTP ... (more)

hahaha's avatar hahaha (2020-08-04 00:58:48 +0000) edit
more
  • delete

Well, you will need to construct a suitable capture filter that captures the traffic you're after. I provided a typical example using port 80 because that's the default port for HTTP traffic. If the HTTP traffic of interest uses a different port, then substitute 80 with whatever port is relevant. If you want SSDP traffic as well, then you may need to include something like "host 239.255.255.250" in your capture filter. Read more about capture filters on the pcap-filter man page.

cmaynard's avatar cmaynard (2020-08-04 13:58:00 +0000) edit
more
  • delete

The main reason is that tshark is a little slow in processing data, so I want to solve this problem by modifying the capture filter rules.There are many ports for HTTP traffic in my network, which is obviously impossible to implement with rules, because there are hundreds of hosts in my network. And I want to capture all the traffic and analyze HTTP data in real time, so I want to ask if there is any way to improve tshark's ability to process data. If the processing power is not improved, a large part of data will be lost.

hahaha's avatar hahaha (2020-08-05 00:56:47 +0000) edit
more
  • delete

It sounds more like you need to improve capture performance first. Perhaps the first suggestion I would make is to stop using tshark for capturing and simply use dumpcap (or tcpdump) and then post-analyze the traffic with tshark. If you want/need real-time (or semi-real-time) monitoring, then you'd have to come up with a method for having tsharkprocess one file at a time written by the capture tool once that tool is done writing to a file and moves to the next file. I'm sure something could be scripted. I'm sure there are other possible solutions as well, but this is just one idea. If your capture hardware can't keep up with the load, then you may need to invest in dedicated built-for-purpose hardware hardware, but that's typically not cheap, depending on your needs. Other tips may be found at https://wiki.wireshark.org/Performance

cmaynard's avatar cmaynard (2020-08-05 01:21:46 +0000) edit
more
  • delete
add a comment see more comments
0

First of all you should try to use dumpcap instead of tshark for a better performance.

You can then work with the advanced capture filters. According to the Wireshark site this filter should fulfill your needs to capture all HTTP GET requests:

dumpcap -i eth1 -f "tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420"

JasMan's avatar
81
JasMan
answered 2020-08-08 13:07:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer