Wireshark-users: Re: [Wireshark-users] Tshark output in apache log format
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Mon, 23 Aug 2010 07:16:34 +0200
Hi again,

Which version are you running?
$ tshark -v
TShark 1.5.0-SVN-33840 (SVN Rev 33840 from /trunk)

See Bug 5124 New: Save As saves as incorrect file format when using "Displayed"
http://www.wireshark.org/lists/wireshark-bugs/201008/msg00387.html

My best
Joke
 
On Sun, 22 Aug 2010 18:05:38 -0400 Jeffs wrote:
>  Hi Joke and thank you once again for your help and patience. I am 
>using the following command on a .pcap file which which was created 
>using wireshark:
>
>tshark -r new.pcap -R "http.host contains "www" -w outfile.pcap
>
>I then type "more outfile.pcap" and see data that looks like following.

>This looks like text, not the normal .pcap binary output I normally see

>when I "more" a binary .pcap file:
>=======================================
>l?`L?]
>
>Host: www.nytimes.com
>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8)

>Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729)
>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>Accept-Language: en-us,en;q=0.5
>Accept-Encoding: gzip,deflate
>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>Keep-Alive: 115
>Connection: keep-alive
>
><snip>
>==========================================
>
>However, when I more the input file, like so:
>
>more new.pcap then I do see binary output, like so:
>
>
><????S;?n3z????IE????????t?G????1?F?t???{?}gb[??[l?????mnP??????ou??n?3p???s]?~8eg
>
>??C
>^???3??e@????ut?jj?|?UXh,.~L??5D??1v];???Q8f?!???3??`?Nug?#?u??E`?4?-?`?
>?H??y?B?n??V??h????s????R}?c????n,??{B?zw???V??????u??nm?ct?????[0????O?>??????p4?Q7?g?+?????2??D?-??^L
>
>?????L??[???f\iu?/}?H?}G??M
>K~"F06?9???cw?=?w?L/Wh.???0?^??\?????e???u????????????;?rJ???m97;???n70xSTt??!?
>????"%?????6??????s?4??N??????*2U??%:SqL%
>
>B~?F#6?uo???5??rIS??8w?A?W??8?x ?a~??N???M????V?}?|?A?#?$??:?$?m@
>f?+????X?"i???????2u??@???*?z~g?K?GT??Z?ZU?????kQcl0p?)?L?D 
>?r?c:????5BM???o(????D????(??U??&?O?.a?A`
>???_T?j?m?]? _??~?E???y?????2p*;?A?>0*m???u?D??3?f
>
>
>
>
>
>
>
>
>On 8/22/2010 1:17 PM, j.snelders wrote:
>> Hi Jeffs,
>>
>> Did you use the option -w outfile?
>>
>> See tshark -h or the manpage:
>> http://www.wireshark.org/docs/man-pages/tshark.html
>> -w<outfile>  | -
>>
>>      Write raw packet data to outfile or to the standard output if outfile
>> is '-'.
>>
>>      NOTE: -w provides raw packet data, not text. If you want text output
>> you need to redirect stdout (e.g. using '>'), don't use the -w option
for
>> this.
>>
>> Best regards
>> Joke
>>
>>
>> On Sun, 22 Aug 2010 10:59:16 -0400 Jeffs wrote:
>>>   Hi Joke and thank you for your reply.  This prints out a text file,
>>> not a pcap standard file.  Well, it seems that way to me -- if I compare
>>>
>>> that outfile to a standard .cap file they are two totally different animals.
>>>
>>> I think I need an output that is totally .pcap.
>>>
>>> I could very possibly be wrong on all counts as I'm new to wireshark/tshark.
>>>
>>> On 8/20/2010 11:03 AM, j.snelders wrote:
>>>> Hi Jeffs,
>>>>
>>>> You can use a display filter -R "http.host contains "www"" and write
>the
>>>> packets to -w outfile:
>>>> $ tshark -r infile.pcap -R "http.host contains "www"" -w outfile.pcap
>>>>
>>>> Best regards
>>>> Joke
>>>>
>>>> On Fri, 20 Aug 2010 09:55:26 -0400 Jeffs wrote:
>>>>>    I doubt that Tshark can output a file in apache log format, but
>>>>> another program, justniffer, can read a .cap file and output in apache
>>>>> log format.
>>>>>
>>>>> I am currently using the following tshark command line to extract only
>>>>> sessions with 'www.' in the link:
>>>>>
>>>>> tshark -r test.pcap -T fields -e http.host  | sed 's/?.*$//' | sed
-n
>>>>> '/www./p'  | sort | uniq -c | sort -rn | head -n 500
>>>>>
>>>>> but this output is not in apache log format for use by justniffer.
>>>>>
>>>>> Can someone suggest a method to:
>>>>>
>>>>> either use tshark to output in apache log format only data with "www."
>>>>> in the data, or
>>>>>
>>>>> use a tshark command line sequence to output a "standard" .cap file
>that
>>>>>
>>>>> would contain all the usual .cap data but only for those records that
>>>>> contain "www." in them.
>>>>>
>>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>
>>
>