0

I am new to wireshark/tshark, so I want to know if something like that is possible. I have captured some traffic as pcap file. I open it up in wireshark and apply 'http.cookie' filter, it only gives me packets with cookies in them. and from those packets I only need specific HTTP information, like source/destination ip, timestamp, http.content_type, http.content_length, cookie ID string and full request uri. It is somewhat possible in wireshark. but that all is done on a offline capture pcap file stored in computer.

Is there a way by using tshark on an interface that I ONLY CAPTURE HTTP PACKETS WITH COOKIES in them ? and then extract specific information into a file. I been googling a lot, and have tried so many examples , but getting confused a lot.

I think I am confused with capture filters and read filters, can anyone help me in that?

Abdullah Tahir
  • 1
  • 1
  • ok so far, I have managed to get some result by this ... ...<< tshark -i eth0 -f 'tcp port 80' -R 'http.cookie' -z "proto,colinfo,http.content_type,http.content_type" -z "proto,colinfo,http.content_length,http.content_length" -z "proto,colinfo,http.cookie,http.cookie" > /tmp/output3.txt >>.. this adds the content_type, content_length and cookie information to the info. but this makes the info way way long. Is there a way that instead of adding content_type, content_length and cookie information to the info, I add these information to three new columns seperated by tab space or semi colon ? – Abdullah Tahir Aug 29 '12 at 13:30

1 Answers1

1

While thark (and Wireshark) capture filters offer a variety extensions to peak into higher layers, it will still be on a per-packet basis. This is a problem when working with TCP traffic, which may contain duplicate packets due to retransmissions.

When analyzing application layer protocols, it would be more appropriate to first reassemble the TCP stream and then deal with higher layers. To this end, have a look at Bro. It also works on the command line, ships with a robust and extensively tested TCP reassembler, and comes with a variety of protocol parses, including HTTP.

mavam
  • 12,242
  • 10
  • 53
  • 87