Wireshark mailing list archives

Re: The best method to extract the subset of HTTP fields from the live traffic

From: Vitaly Repin <vitaly.repin () gmail com>
Date: Thu, 7 Jan 2016 00:34:44 +0200

Hello,

As of now they are standard. E.g., Referer and response body.

" it's possible for them to be added as fields (which will then appear
in pinfo)".  How can I do it?
Is it done through

 How can I add them to pinfo? Can "-T fileds, -e ..." help me here?

2016-01-06 19:52 GMT+02:00 Abhik Sarkar <sarkar.abhik () gmail com>:

Hi,

From your question, it seems the data you wish to extract are not known
fields. However, it's not clear what you are after. If it's non-standard
HTTP headers you are after, it's possible for them to be added as fields
(which will then appear in pinfo).

If that works, you could either continue with your LUA tap, or you could
also check the option of running tshark with the "-T fields" option and
extracting specific fields (with -e) you want. See the manpage for more
info.

Hope this helps.
Abhik.

On 6 January 2016 at 20:01, Vitaly Repin <vitaly.repin () gmail com> wrote:


Hello,

I am trying to extract specififc subset of HTTP fields from the live
stream and I need wireshark experts' advices on the best way to do
this.

It looks like the following options exist:

1) Output packets in pdml format. Extract the fields I need from the
output data.

2) Use lua scripting to extract the data using the lua functions

It seems to me the second method is better in terms of performance
(pdml output contains huge amount of data which I do not need) and it
should be also simpler in development.

I have written tap in lua but I was able to extract only the fields
delivered through pinfo structure. The question is - how to parse tvb
structure?

Can I accees parsed tvb somehow? Should I get http dissector from
DissectorTable.get("tcp.port"):get_dissector(80) and apply it to the
tvb? Could you point me to example?

Or may be the simplest way is to create post-dissector or chained
dissector and do not to use tap at all?

Thanks in advance!

--
WBR & WBW, Vitaly

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe




-- 
WBR & WBW, Vitaly
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Re: The best method to extract the subset of HTTP fields from the live traffic Vitaly Repin (Jan 06)
- <Possible follow-ups>
- Re: The best method to extract the subset of HTTP fields from the live traffic Vitaly Repin (Jan 06)
- Re: The best method to extract the subset of HTTP fields from the live traffic Vitaly Repin (Jan 11)