Wireshark mailing list archives
Re: Tshark output in apache log format
From: "j.snelders" <j.snelders () telfort nl>
Date: Mon, 23 Aug 2010 06:26:13 +0200
Hi Jeffs, When you open the file with a hex editor, you should see something like: D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 ????............ FF FF 00 00 ??.. What does capinfos tell you? http://www.wireshark.org/docs/man-pages/capinfos.html $ capinfos -t outfile.txt capinfos: Can't open outfile.txt: The file isn't a capture file in a known format $ capinfos -t outfile.pcap File name: outfile.pcap File type: Wireshark/tcpdump/... - libpcap My best Joke On Sun, 22 Aug 2010 18:05:38 -0400 Jeffs wrote:
Hi Joke and thank you once again for your help and patience. I am using the following command on a .pcap file which which was created using wireshark: tshark -r new.pcap -R "http.host contains "www"* -w outfile.pcap
*missing quote: $ tshark -r infile.pcap -R "http.host contains "www"" -w outfile.pcap
I then type "more outfile.pcap" and see data that looks like following.
This looks like text, not the normal .pcap binary output I normally see
when I "more" a binary .pcap file: ======================================= l?`L?] Host: www.nytimes.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8)
Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive <snip> ========================================== However, when I more the input file, like so: more new.pcap then I do see binary output, like so: <????S;?n3z????IE????????t?G????1?F?t???{?}gb[??[l?????mnP??????ou??n?3p???s]?~8eg ??C ^???3??e@????ut?jj?|?UXh,.~L??5D??1v];???Q8f?!???3??`?Nug?#?u??E`?4?-?`? ?H??y?B?n??V??h????s????R}?c????n,??{B?zw???V??????u??nm?ct?????[0????O?>??????p4?Q7?g?+?????2??D?-??^L ?????L??[???f\iu?/}?H?}G??M K~"F06?9???cw?=?w?L/Wh.???0?^??\?????e???u????????????;?rJ???m97;???n70xSTt??!? ????"%?????6??????s?4??N??????*2U??%:SqL% B~?F#6?uo???5??rIS??8w?A?W??8?x ?a~??N???M????V?}?|?A?#?$??:?$?m@ f?+????X?"i???????2u??@???*?z~g?K?GT??Z?ZU?????kQcl0p?)?L?D ?r?c:????5BM???o(????D????(??U??&?O?.a?A` ???_T?j?m?]? _??~?E???y?????2p*;?A?>0*m???u?D??3?f On 8/22/2010 1:17 PM, j.snelders wrote:Hi Jeffs, Did you use the option -w outfile? See tshark -h or the manpage: http://www.wireshark.org/docs/man-pages/tshark.html -w<outfile> | - Write raw packet data to outfile or to the standard output if outfile is '-'. NOTE: -w provides raw packet data, not text. If you want text output you need to redirect stdout (e.g. using '>'), don't use the -w option
for
this. Best regards Joke On Sun, 22 Aug 2010 10:59:16 -0400 Jeffs wrote:Hi Joke and thank you for your reply. This prints out a text file, not a pcap standard file. Well, it seems that way to me -- if I compare that outfile to a standard .cap file they are two totally different animals. I think I need an output that is totally .pcap. I could very possibly be wrong on all counts as I'm new to wireshark/tshark. On 8/20/2010 11:03 AM, j.snelders wrote:Hi Jeffs, You can use a display filter -R "http.host contains "www"" and writethepackets to -w outfile: $ tshark -r infile.pcap -R "http.host contains "www"" -w outfile.pcap Best regards Joke On Fri, 20 Aug 2010 09:55:26 -0400 Jeffs wrote:I doubt that Tshark can output a file in apache log format, but another program, justniffer, can read a .cap file and output in apache log format. I am currently using the following tshark command line to extract only sessions with 'www.' in the link: tshark -r test.pcap -T fields -e http.host | sed 's/?.*$//' | sed
-n
'/www./p' | sort | uniq -c | sort -rn | head -n 500 but this output is not in apache log format for use by justniffer. Can someone suggest a method to: either use tshark to output in apache log format only data with "www." in the data, or use a tshark command line sequence to output a "standard" .cap filethatwould contain all the usual .cap data but only for those records that contain "www." in them. Thanks.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Tshark output in apache log format Jeffs (Aug 20)
- Re: Tshark output in apache log format j.snelders (Aug 20)
- Re: Tshark output in apache log format Jeffs (Aug 22)
- Re: Tshark output in apache log format j.snelders (Aug 22)
- Re: Tshark output in apache log format Jeffs (Aug 22)
- <Possible follow-ups>
- Re: Tshark output in apache log format j.snelders (Aug 22)
- Re: Tshark output in apache log format j.snelders (Aug 22)
- Re: Tshark output in apache log format j.snelders (Aug 20)