3

I have a pcap file (~2.3G) containing HTTP requests. I need to extract the body of each request in some way that I can further process it. Each request in its own file would work well, but I can be flexible on that.

I found something promising in tshark, as this command does almost what I need:

tshark -r capture.pcap --export-objects "http,data"

I get a folder with a bunch of files in it, each one containing one request body.

However, it only outputs the first 1000 requests. How can I get the rest of the requests?

pkaeding
  • 810
  • 2
  • 13
  • 23
  • 2
    Did not see any "stop after 1000 files" default limit in the man page. Could this be something a stupid as tshark would consume file handles while executing your command? Try `ulimit -SHn 65535` and then retry your command. – Janne Pikkarainen Feb 15 '18 at 06:13
  • 1
    @JannePikkarainen well, I did find this: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6362#c6 where it seems they decided to cap it at 1000. I wonder if there is some clever way to batch the export to do 1000 at a time, or something? – pkaeding Feb 15 '18 at 18:03

1 Answers1

2

Try running tshark -r events.pcap -Y "http.request" -T fields -e http.file_data.

-Y "http.request" - filters for packets which are http requests

-T fields -e http.file_data - sets the output fields to just the request body

EDIT: With a large file, you may need to split up your captures with a tool like editcap.

atrakh
  • 36
  • 1