Wireshark-users: Re: [Wireshark-users] The best method to extract the subset of HTTP fields from
From: Vitaly Repin <vitaly.repin@xxxxxxxxx>
Date: Mon, 11 Jan 2016 11:38:15 +0200
Hello,


Thanks to all the answers.

Just for the reference, I'll describe my current solution here.

I use tap and function all_field_infos() there.

So, lua tap listener looks like:

-- Get a table of fields
  local fields = { all_field_infos() }
  -- Field names in Wireshark notation:
https://www.wireshark.org/docs/dfref/h/http.html
  local http_field_names = { "http.user_agent",
    "http.referer",
  }
  local out_field_names = { "user_agent",
    "referer",
  }

  for ix, finfo in ipairs(fields) do
    for i, nm in ipairs(http_field_names) do
      if finfo.name == nm then
        out[out_field_names[i]] = getstring(finfo)
      end
    end
  end

  local json_pretty = JSON:encode(out)

And then I put json_pretty to the output log file.

It's important to use " -T fields -e http.content_type" (or any other
http field) in the tshark's cmdline.  Otherwise http dissector is not
being luanched and all_field_infos() does not return http fields.


2016-01-07 0:34 GMT+02:00 Vitaly Repin <vitaly.repin@xxxxxxxxx>:
>
> Hello,
>
> As of now they are standard. E.g., Referer and response body.
>
> " it's possible for them to be added as fields (which will then appear
> in pinfo)".  How can I do it?
> Is it done through
>
>  How can I add them to pinfo? Can "-T fileds, -e ..." help me here?
>
> 2016-01-06 19:52 GMT+02:00 Abhik Sarkar <sarkar.abhik@xxxxxxxxx>:



-- 
WBR & WBW, Vitaly