Re: The best method to extract the subset of HTTP fields from the live traffic

[Vitaly Repin <vitaly.repin () gmail com>]

Hello,


Thanks to all the answers.

Just for the reference, I'll describe my current solution here.

I use tap and function all_field_infos() there.

So, lua tap listener looks like:

-- Get a table of fields
  local fields = { all_field_infos() }
  -- Field names in Wireshark notation:
https://www.wireshark.org/docs/dfref/h/http.html
  local http_field_names = { "http.user_agent",
    "http.referer",
  }
  local out_field_names = { "user_agent",
    "referer",
  }

  for ix, finfo in ipairs(fields) do
    for i, nm in ipairs(http_field_names) do
      if finfo.name == nm then
        out[out_field_names[i]] = getstring(finfo)
      end
    end
  end

  local json_pretty = JSON:encode(out)

And then I put json_pretty to the output log file.

It's important to use " -T fields -e http.content_type" (or any other
http field) in the tshark's cmdline.  Otherwise http dissector is not
being luanched and all_field_infos() does not return http fields.


2016-01-07 0:34 GMT+02:00 Vitaly Repin <vitaly.repin () gmail com>:
> Hello,
>
> As of now they are standard. E.g., Referer and response body.
>
> " it's possible for them to be added as fields (which will then appear
> in pinfo)".  How can I do it?
> Is it done through
>
>  How can I add them to pinfo? Can "-T fileds, -e ..." help me here?
>
> 2016-01-06 19:52 GMT+02:00 Abhik Sarkar <sarkar.abhik () gmail com>:



-- 
WBR & WBW, Vitaly
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe