First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to retrieve some info when I follow http session offline ?

Hello,

I am trying to map HTTP Requests to Responses from a pcap file. I use the following script =>

image description

I'd like to put each request/response into a csv file with some attributes (Host, User-Agent, Status Code, Content-Length, etc...). Is it possible to do that directly with tshark ?

Mific78's avatar
1
Mific78
asked 2022-06-06 14:25:26 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Use the -T fields option to selectively output fields. For example:

tshark -r "$1" -T fields -e http.server -e http.user_agent -e http.response.code -e http.content_length_header -e http.response_for.uri -Y http

Note: follow tcp-stream cannot be used if you want CSV format.
And in your example there is a space between 'ascii "$stream' that should be removed. See also tshark documentation.

André's avatar
176
André
answered 2022-06-06 17:28:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I tried to use the -T fields (see example below) but I got a large number of empty lines : it seems that there is a line by stream (http or not http ...) =>

for stream in `tshark -r "$1" -2 -R "tcp and (http.request or http.response)" -T fields -e tcp.stream | sort -n | uniq`
do
  tshark -q -r "$1" -z follow,http,ascii,"$stream" -T fields -e http.server -e http.user_agent >> results.txt
done
Mific78's avatar Mific78 (2022-06-06 18:17:06 +0000) edit
more
  • delete

You omitted the display filter (-Y). So for every packet that does not contain a requested field and empty field is outputted, resulting in a lot of lines with only tabs.

André's avatar André (2022-06-07 21:39:28 +0000) edit
more
  • delete
add a comment see more comments
0

Update : This script meets my need (the "json.txt" file contains only the pairs requests/responses in JSON format) =>

for stream in `tshark -r "$1" -2 -R "tcp and (http.request or http.response)" -T fields -e tcp.stream | sort -n | uniq`
do
  tshark -q -r "$1" -z follow,http,ascii,"$stream" -Y "tcp.stream == "$stream" and (tcp and (http.request or http.response))" -T json -j "http" >> results.txt
done
sed "/"==================================================================="/,/"==================================================================="/d" results.txt > json.txt
Mific78's avatar
1
Mific78
answered 2022-06-07 10:00:06 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Instead of using the sed command to remove unwanted text, it is better to instruct tshark not to output it in the first place by removing the -z option (and -q).

I don’t see the need for the for-loop. You can output all http requests and responses in one go.

André's avatar André (2022-06-07 21:40:16 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer