Wireshark mailing list archives

Re: question about exporting/filtering files

From: Gerald Combs <gerald () wireshark org>
Date: Wed, 02 Dec 2009 10:17:00 -0800

Richard Bejtlich wrote:

On Tue, Dec 1, 2009 at 1:17 PM, zeev mintz <zeevmintz () yahoo com> wrote:

Hi,

I have captured lots of traffic, and I would like to filter out certain packets from my captures.
For example, I want to filter only http GET messages.

Since I have over a thousand log files (each over 100mb), I need a fast (or some kind of automatic) way to export 
only the http GET messages from all the log files, into several small files (no bigger than 100mb each).

As far as I can see, I can't filter messages during capture by the http method (GET), and there is no export feature 
through the wireshark terminal commands. What can i do?

Thanks alot,
shalev


Hello,

Do you need to save the actual packet, or only the GET request messages?

If you only need to save the GET requests, you can use a Tshark display filter.

tshark -i wlan0 -R 'http.request.method == "GET"'

2009-12-02 12:27:29.001591 192.168.2.107 34431 172.16.2.1   3128 HTTP
GET http://www.bejtlich.net/index.html HTTP/1.0

Unfortunately, if you want to save the traffic, that method will
record all packets because a display filter is not the same as a
capture filter.


You should be able to post-process the capture files using tshark and a
display filter, e.g.

for capfile in *.pcap ; do
    tshark -r $capfile -R 'http.request.method == "GET"' \
        -w get-only-$capfile
done

If you want to filter on GET requests at capture time you could use
something like Jefferson Ogata's Big Hairy HTTP GET Filter:

    tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

question about exporting/filtering files zeev mintz (Dec 02)
- Re: question about exporting/filtering files M Holt (Dec 02)
- Re: question about exporting/filtering files Richard Bejtlich (Dec 02)
  - Re: question about exporting/filtering files Gerald Combs (Dec 02)
    - Re: question about exporting/filtering files Richard Bejtlich (Dec 02)
    - Re: question about exporting/filtering files Gerald Combs (Dec 02)
    - Re: question about exporting/filtering files Richard Bejtlich (Dec 02)