Wireshark-users: Re: [Wireshark-users] question about exporting/filtering files
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Wed, 02 Dec 2009 10:17:00 -0800
Richard Bejtlich wrote:
> On Tue, Dec 1, 2009 at 1:17 PM, zeev mintz <zeevmintz@xxxxxxxxx> wrote:
>> Hi,
>>
>> I have captured lots of traffic, and I would like to filter out certain packets from my captures.
>> For example, I want to filter only http GET messages.
>>
>> Since I have over a thousand log files (each over 100mb), I need a fast (or some kind of automatic) way to export only the http GET messages from all the log files, into several small files (no bigger than 100mb each).
>>
>> As far as I can see, I can't filter messages during capture by the http method (GET), and there is no export feature through the wireshark terminal commands. What can i do?
>>
>> Thanks alot,
>> shalev
> 
> Hello,
> 
> Do you need to save the actual packet, or only the GET request messages?
> 
> If you only need to save the GET requests, you can use a Tshark display filter.
> 
> tshark -i wlan0 -R 'http.request.method == "GET"'
> 
> 2009-12-02 12:27:29.001591 192.168.2.107 34431 172.16.2.1   3128 HTTP
> GET http://www.bejtlich.net/index.html HTTP/1.0
> 
> Unfortunately, if you want to save the traffic, that method will
> record all packets because a display filter is not the same as a
> capture filter.

You should be able to post-process the capture files using tshark and a
display filter, e.g.

for capfile in *.pcap ; do
    tshark -r $capfile -R 'http.request.method == "GET"' \
        -w get-only-$capfile
done

If you want to filter on GET requests at capture time you could use
something like Jefferson Ogata's Big Hairy HTTP GET Filter:

    tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420