This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark http get x-forwarded-for ip in one line

0

Hey all,

Is it possible to have HTTP GET request and X-forwarded-for IP and the time in 1 single line?

I have difficulties,

tshark -i eth0 -n tcp port 80 -x -R 'http.request.method == "GET"' | grep "HTTP GET"

0.158435 10.128.99.11 -> 46.12.12.14 HTTP GET /check.html HTTP/1.0

Appreciate any help given.

asked 21 Jun '13, 09:53

diden's gravatar image

diden
8225
accept rate: 0%

2 Answers:

1

Try this after capturing and saving the file.

tshark -r <yourpcap> -Tfields -e "http.request.method==GET" -e "http.request.uri" -e "http.x_forwarded_for" -e frame.time_relative

answered 21 Jun '13, 13:37

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 21 Jun '13, 14:31

1

If they're in the same packet, from a live capture (Note: from this example you can add any container that you want to display as a column just by adding more -e's):

tshark -i eth0 -R 'tcp.port==80&&http.request.method=="GET"&&http.x_forwarded_for' -T fields -e frame.time -e http.request.method -e http.request.uri

The other answer will work, except that your initial capture was with a display filter. You can not save a live capture in tshark while using a display filter on it, so the result of the other answer's output would be the lines you want, plus a lot of unwanted empty space for packets which match your unfiltered -r request on the whole trace but don't have the fields you're looking for. Another way to do it would be to save with a capture filter then read it against a display filter but in this case you can do it in one step since you're just looking for the field output on a live capture.

answered 21 Jun '13, 19:01

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 21 Jun '13, 19:12

Yes you are right that i need a live capture on screen.

I tried the following but did not see the x-forwarded-ip. Am i missing something ?

tshark -i eth0 -R 'tcp.port==80&&http.request.method=="GET"&&http.x_forwarded_for' -T fields -e frame.time -e http.request.method -e http.request.uri

(21 Jun '13, 20:55) diden

I found what i needed with both your help. Thanks.

tshark -i eth0 -R 'tcp.port==80&&http.request.method=="GET"&&http.x_forwarded_for' -T fields -e http.x_forwarded_for -e frame.time -e http.request.method -e http.request.uri

(21 Jun '13, 20:57) diden