Re: question about exporting/filtering files

[Richard Bejtlich <taosecurity () gmail com>]

On Tue, Dec 1, 2009 at 1:17 PM, zeev mintz <zeevmintz () yahoo com> wrote:
> Hi,
>
> I have captured lots of traffic, and I would like to filter out certain packets from my captures.
> For example, I want to filter only http GET messages.
>
> Since I have over a thousand log files (each over 100mb), I need a fast (or some kind of automatic) way to export 
> only the http GET messages from all the log files, into several small files (no bigger than 100mb each).
>
> As far as I can see, I can't filter messages during capture by the http method (GET), and there is no export feature 
> through the wireshark terminal commands. What can i do?
>
> Thanks alot,
> shalev

Hello,

Do you need to save the actual packet, or only the GET request messages?

If you only need to save the GET requests, you can use a Tshark display filter.

tshark -i wlan0 -R 'http.request.method == "GET"'

2009-12-02 12:27:29.001591 192.168.2.107 34431 172.16.2.1   3128 HTTP
GET http://www.bejtlich.net/index.html HTTP/1.0

Unfortunately, if you want to save the traffic, that method will
record all packets because a display filter is not the same as a
capture filter.

You might want to use Httpry, Bro, or something similar instead.

Sincerely,

Richard
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe