Re: Enrich tshark data

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi Conall,

You’re quite in the right place here to put forward these questions. I’ll have a go and try to answer them.

What you spotted is the HTTP dissector adding the HTTP status field to the protocol tree 
(https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-http.c;hb=HEAD#l1778 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-http.c;hb=HEAD#l1778>)

Now we’ve to look a bit at Wireshark’s design. In its core there’s EPAN, the dissection engine. This is where the HTTP 
dissector lives.
The output of the dissection engine is used in various ways. In Wireshark it’s used to fill the GUI, in tshark it’s 
used to generate the text output. 
What format this tshark text output has is determined by the command line parameters. Then it’s up to the output 
routines to include the data in the selected format.
Now, the question remains how is the HTTP response code description processed by the JSON output routines. 


> On 8 Sep 2017, at 15:21, Conall Prendergast <conall.prendergast () anam com> wrote:
>
> Hi All,
>
> Wireshark has the ability to enrich some of the numeric values it sees. For example, if is sees a http status code of 
> 200, it might print "OK" beside it, because HTTP 200 means OK (This is just a guess, Im not sure what it does for 
> HTTP status codes).
>
> Is it possible to add this kind of enrichment to tshark's json output? 
>
> Regards,
> Conall

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe