Wireshark mailing list archives
Re: question about exporting/filtering files
From: Gerald Combs <gerald () wireshark org>
Date: Wed, 02 Dec 2009 10:17:00 -0800
Richard Bejtlich wrote:
On Tue, Dec 1, 2009 at 1:17 PM, zeev mintz <zeevmintz () yahoo com> wrote:Hi, I have captured lots of traffic, and I would like to filter out certain packets from my captures. For example, I want to filter only http GET messages. Since I have over a thousand log files (each over 100mb), I need a fast (or some kind of automatic) way to export only the http GET messages from all the log files, into several small files (no bigger than 100mb each). As far as I can see, I can't filter messages during capture by the http method (GET), and there is no export feature through the wireshark terminal commands. What can i do? Thanks alot, shalevHello, Do you need to save the actual packet, or only the GET request messages? If you only need to save the GET requests, you can use a Tshark display filter. tshark -i wlan0 -R 'http.request.method == "GET"' 2009-12-02 12:27:29.001591 192.168.2.107 34431 172.16.2.1 3128 HTTP GET http://www.bejtlich.net/index.html HTTP/1.0 Unfortunately, if you want to save the traffic, that method will record all packets because a display filter is not the same as a capture filter.
You should be able to post-process the capture files using tshark and a display filter, e.g. for capfile in *.pcap ; do tshark -r $capfile -R 'http.request.method == "GET"' \ -w get-only-$capfile done If you want to filter on GET requests at capture time you could use something like Jefferson Ogata's Big Hairy HTTP GET Filter: tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- question about exporting/filtering files zeev mintz (Dec 02)
- Re: question about exporting/filtering files M Holt (Dec 02)
- Re: question about exporting/filtering files Richard Bejtlich (Dec 02)
- Re: question about exporting/filtering files Gerald Combs (Dec 02)
- Re: question about exporting/filtering files Richard Bejtlich (Dec 02)
- Re: question about exporting/filtering files Gerald Combs (Dec 02)
- Re: question about exporting/filtering files Richard Bejtlich (Dec 02)
- Re: question about exporting/filtering files Gerald Combs (Dec 02)