0

Does anyone know how I would go about extracting urls in w3c extended log format from a wireshark pcap capture file?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Mike
  • 196
  • 1
  • 2
  • 13
  • I may be misunderstanding your question, but Wireshark doesn't do that. It's not a log parsing tool (that I'm aware of) it's a packet capture program. – joeqwerty Sep 24 '10 at 11:21
  • i know wireshark doesn't do that. I'm wondering how I can parse a wireshark file and output a http log file. – Mike Sep 24 '10 at 11:35
  • I don't think that's possible. How about looking at the log file on the web server? – joeqwerty Sep 24 '10 at 13:12

1 Answers1

0

Not practical with Wireshark but have a look at this: http://chaosreader.sourceforge.net/

This is a type of "any-snarf" program, as it will fetch ... HTTP transfersfrom the captured data inside network traffic logs. A html index file is created that links to ... reports such as image reports and HTTP GET/POST content reports.

I don't think the reports are in w3c extended log format but...why so strict? Surely a bit a perl will let you munge them into w3c extended log format.

See http://isc.sans.edu/diary.html?storyid=6961 for more leads.

Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
  • Thank you so much. This is exactly what I'm looking for. I've been able to convert that output into w3c logs. Thanks again! – Mike Sep 25 '10 at 00:38