Re: Tshark output in apache log format

["j.snelders" <j.snelders () telfort nl>]

Hi Jeffs,

When you open the file with a hex editor, you should see something like:

D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 ????............
FF FF 00 00                                     ??..

What does capinfos tell you?
http://www.wireshark.org/docs/man-pages/capinfos.html
$ capinfos -t outfile.txt
capinfos: Can't open outfile.txt: The file isn't a capture file in a known
format

$ capinfos -t outfile.pcap
File name:           outfile.pcap
File type:           Wireshark/tcpdump/... - libpcap

My best
Joke
 
On Sun, 22 Aug 2010 18:05:38 -0400 Jeffs wrote:
>  Hi Joke and thank you once again for your help and patience. I am 
> using the following command on a .pcap file which which was created 
> using wireshark:
>
> tshark -r new.pcap -R "http.host contains "www"* -w outfile.pcap

*missing quote:
$ tshark -r infile.pcap -R "http.host contains "www"" -w outfile.pcap


> I then type "more outfile.pcap" and see data that looks like following.

> This looks like text, not the normal .pcap binary output I normally see

> when I "more" a binary .pcap file:
> =======================================
> l?`L?]
>
> Host: www.nytimes.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8)

> Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729)
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 115
> Connection: keep-alive
>
> <snip>
> ==========================================
>
> However, when I more the input file, like so:
>
> more new.pcap then I do see binary output, like so:
>
>
> <????S;?n3z????IE????????t?G????1?F?t???{?}gb[??[l?????mnP??????ou??n?3p???s]?~8eg
>
> ??C
> ^???3??e@????ut?jj?|?UXh,.~L??5D??1v];???Q8f?!???3??`?Nug?#?u??E`?4?-?`?
> ?H??y?B?n??V??h????s????R}?c????n,??{B?zw???V??????u??nm?ct?????[0????O?>??????p4?Q7?g?+?????2??D?-??^L
>
> ?????L??[???f\iu?/}?H?}G??M
> K~"F06?9???cw?=?w?L/Wh.???0?^??\?????e???u????????????;?rJ???m97;???n70xSTt??!?
> ????"%?????6??????s?4??N??????*2U??%:SqL%
>
> B~?F#6?uo???5??rIS??8w?A?W??8?x ?a~??N???M????V?}?|?A?#?$??:?$?m@
> f?+????X?"i???????2u??@???*?z~g?K?GT??Z?ZU?????kQcl0p?)?L?D 
> ?r?c:????5BM???o(????D????(??U??&?O?.a?A`
> ???_T?j?m?]? _??~?E???y?????2p*;?A?>0*m???u?D??3?f
>
>
>
>
>
>
>
>
> On 8/22/2010 1:17 PM, j.snelders wrote:
> > Hi Jeffs,
> >
> > Did you use the option -w outfile?
> >
> > See tshark -h or the manpage:
> > http://www.wireshark.org/docs/man-pages/tshark.html
> > -w<outfile>  | -
> >
> >      Write raw packet data to outfile or to the standard output if outfile
> > is '-'.
> >
> >      NOTE: -w provides raw packet data, not text. If you want text output
> > you need to redirect stdout (e.g. using '>'), don't use the -w option
for
> > this.
> >
> > Best regards
> > Joke
> >
> >
> > On Sun, 22 Aug 2010 10:59:16 -0400 Jeffs wrote:
> > >   Hi Joke and thank you for your reply.  This prints out a text file,
> > > not a pcap standard file.  Well, it seems that way to me -- if I compare
> > >
> > > that outfile to a standard .cap file they are two totally different animals.
> > >
> > > I think I need an output that is totally .pcap.
> > >
> > > I could very possibly be wrong on all counts as I'm new to wireshark/tshark.
> > >
> > > On 8/20/2010 11:03 AM, j.snelders wrote:
> > > > Hi Jeffs,
> > > >
> > > > You can use a display filter -R "http.host contains "www"" and write
> the
> > > > packets to -w outfile:
> > > > $ tshark -r infile.pcap -R "http.host contains "www"" -w outfile.pcap
> > > >
> > > > Best regards
> > > > Joke
> > > >
> > > > On Fri, 20 Aug 2010 09:55:26 -0400 Jeffs wrote:
> > > > >    I doubt that Tshark can output a file in apache log format, but
> > > > > another program, justniffer, can read a .cap file and output in apache
> > > > > log format.
> > > > >
> > > > > I am currently using the following tshark command line to extract only
> > > > > sessions with 'www.' in the link:
> > > > >
> > > > > tshark -r test.pcap -T fields -e http.host  | sed 's/?.*$//' | sed
-n
> > > > > '/www./p'  | sort | uniq -c | sort -rn | head -n 500
> > > > >
> > > > > but this output is not in apache log format for use by justniffer.
> > > > >
> > > > > Can someone suggest a method to:
> > > > >
> > > > > either use tshark to output in apache log format only data with "www."
> > > > > in the data, or
> > > > >
> > > > > use a tshark command line sequence to output a "standard" .cap file
> that
> > > > > would contain all the usual .cap data but only for those records that
> > > > > contain "www." in them.
> > > > >
> > > > > Thanks.

       


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe