First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Filter and add extra fields in the pcap

  • retag add tags

Hi,

I know that with wireshark/tshark i can filter and analyze specific fields for an HTTP request like http.time.

Is there an option to export the original pcap plus the extra fields from a filter in a new pcap for example for every http request and add http.time as the delay field in the raw data ?

akefallonitis's avatar
1
akefallonitis
asked 2020-11-03 14:52:21 +0000
edit flag offensive 0 remove flag close merge delete

Comments

That is a generated field which Wireshark creates from data in the packet.
You could maybe store it in a packet comment if the file is saved in pcapng format.

packet-http.c
-------------

 { &hf_http_time,
   { "Time since request", "http.time",
    FT_RELATIVE_TIME, BASE_NONE, NULL, 0,
    "Time since the request was sent", HFILL }},

if (! nstime_is_unset(&(curr->req_ts))) {
    nstime_delta(&delta, &pinfo->abs_ts, &(curr->req_ts));
    pi = proto_tree_add_time(http_tree, hf_http_time, tvb, 0, 0, &delta);
    proto_item_set_generated(pi);
}
Chuckc's avatar Chuckc (2020-11-03 15:08:14 +0000) edit
more
  • delete

Yes i need it to be saved additionally to the data from the packet for example as you said in a comment you thing that it is possible ?

akefallonitis's avatar akefallonitis (2020-11-03 15:23:49 +0000) edit
more
  • delete

I'm not sure what other tools you'll be using to process the pcapng, they may not handle comments.

grahamb's avatar grahamb (2020-11-03 15:29:19 +0000) edit
more
  • delete

Comments or in custom http header also would be interesting option

akefallonitis's avatar akefallonitis (2020-11-03 15:30:48 +0000) edit
more
  • delete

Adding/appending packet comments in pcapng file with the Lua API: here they started with Lua but after discussion looks like editcap and a shell script may be a good solution.

Other ideas here

Chuckc's avatar Chuckc (2020-11-03 17:38:59 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Those fields are synthesised or inferred by the Wireshark dissector library from the traffic in the capture file and denoted as such by having "[]" around them and so cannot be saved in a pcap as that only contains the traffic as transmitted (along with some other met-information about the capture interfaces etc.).

Any recipient of the capture file can open it in their copy of Wireshark and see the same information (as long as their version of Wireshark calculates or infers the fields in the same way, we do change things occasionally).

grahamb's avatar
23.8k
grahamb
answered 2020-11-03 15:00:10 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hey and thanks for your response. I wanted to inject http.time field or delay in the pcap and use it for further analysis

akefallonitis's avatar akefallonitis (2020-11-03 15:01:36 +0000) edit
more
  • delete

Usually further analysis means post-processing in which case using tshark to process the file and output exactly fields required is the way to go. The fields to output can be any Wireshark display filter field.

Look at the -T fields -e fieldname1 -e fieldname2 ... option.

grahamb's avatar grahamb (2020-11-03 15:08:47 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer