On Sat, Jun 23, 2007 at 01:46:35PM -0500, Jason Bush wrote:
> The above provides me with the fourth frame of each TCP communication
> on port 80, I then need to parse out the host, GET statement, and some
> other information. Is there an easy way of providing this information
> in standard out, or is this something that I will have to feed the
> frame data to a script/program to parse the information?
You can if you're using version 0.99.6 (see below) or the latest SVN
tree. Check out the -T fields option along with the -e <field name>
option and optionally the -E field in the man page.
For example:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
sfisher@shadow:/usr/local/src/wireshark>./tshark -R "http.request.method
== GET" -r ~/captures/http.pcap -T fields -e http.host -e
http.request.uri -E headers=y
sfisher@shadow:/usr/local/src/wireshark>./tshark -R "http.request.method
== GET" -r ~/captures/http.pcap -T fields -e http.host -e
http.request.uri -E header=y
http.host http.request.uri
www.wireshark.org /
www.wireshark.org /favicon.ico
www.wireshark.org /js/common.js
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Version 0.99.6 is in pre-release right now and can be downloaded from:
http://www.wireshark.org/download/prerelease/wireshark-0.99.6pre1.tar.gz
http://www.wireshark.org/download/prerelease/wireshark-0.99.6pre1.u3p
http://www.wireshark.org/download/prerelease/wireshark-setup-0.99.6pre1.exe
Steve
