Wireshark-users: Re: [Wireshark-users] The best method to extract the subset of HTTP fields from
Hello,
Thanks to all the answers.
Just for the reference, I'll describe my current solution here.
I use tap and function all_field_infos() there.
So, lua tap listener looks like:
-- Get a table of fields
local fields = { all_field_infos() }
-- Field names in Wireshark notation:
https://www.wireshark.org/docs/dfref/h/http.html
local http_field_names = { "http.user_agent",
"http.referer",
}
local out_field_names = { "user_agent",
"referer",
}
for ix, finfo in ipairs(fields) do
for i, nm in ipairs(http_field_names) do
if finfo.name == nm then
out[out_field_names[i]] = getstring(finfo)
end
end
end
local json_pretty = JSON:encode(out)
And then I put json_pretty to the output log file.
It's important to use " -T fields -e http.content_type" (or any other
http field) in the tshark's cmdline. Otherwise http dissector is not
being luanched and all_field_infos() does not return http fields.
2016-01-07 0:34 GMT+02:00 Vitaly Repin <vitaly.repin@xxxxxxxxx>:
>
> Hello,
>
> As of now they are standard. E.g., Referer and response body.
>
> " it's possible for them to be added as fields (which will then appear
> in pinfo)". How can I do it?
> Is it done through
>
> How can I add them to pinfo? Can "-T fileds, -e ..." help me here?
>
> 2016-01-06 19:52 GMT+02:00 Abhik Sarkar <sarkar.abhik@xxxxxxxxx>:
--
WBR & WBW, Vitaly