This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using tshark to save filtered packets to file

1

Hello.

I want to use tshark with this display filter "http.content_type contains html" and save each resulting reassembled packets to their own separate file, not one file for all flows. Is that possible ?

What I could come up with was

tshark -r test.packets -Y "http.content_type contains html" -w htmlfiles.packets

But that's not even close to what was intended. This is the graphical way to do it in wireshark

wireshark version

Thanks for any help.

asked 29 Dec '14, 00:38

ychaouche's gravatar image

ychaouche
315610
accept rate: 100%

edited 26 Dec '16, 02:56

3 Answers:

2

Have you looked at the built-in export option for HTTP (File -> Export Objects -> HTTP and then choose "Save All")?

If you only need "html" objects, first filter on the html content type, then "export specified packets to disk", load the newly saved file and then go to "Export Objects".

answered 08 Mar '15, 04:16

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Exactly what I was looking for, no need for tshark ! thanks a ton sorry for late reply.

(26 Dec '16, 03:47) ychaouche

1

I would think there's some way to do that, but I can't seem to find it. For most fields you can get their value using the "-T fields -e [fieldname]" command switch for tshark, but in HTTP the field would be the data-text-lines field, but that will only give you something like "Line-based text data: text/html" instead of the whole content body.

So here's a way to do it using a Lua script - copy/paste the Lua script code at the bottom of this answer into a file, such as extract.lua. Then run tshark in the following way:

# the below is all one line
tshark -r [input_filename] -Y 'http.content_type contains html' -X lua_script:extract.lua
    -X lua_script1:data-text-lines -T fields -e extractor.value.string > output_file.txt

What that will do is read in the file ("[input_filename]"), filter the packets so you only get the ones with content-type html, with the Lua script file named "extract.lua", and pass into the Lua script an argument of "data-text-lines" which the Lua script uses as the field you want to extract. The Lua script will create a new field called "extractor.value.string" of the string contents of the passed-in field "data-text-lines", so the "-T fields -e extractor.value.string" switch tells tshark to print that out. It then saves the output to a file using the "> output_file.txt" .

Here's the Lua script:

-- grab the passed-in argument(s)
local args = { ... }

– exit if no arguments were passed in
if #args == 0 then
return
end


– a table to hold field extractors
local fields = {}


– create field extractor(s) for the passed-in argument(s)
for i, arg in ipairs(args) do
fields[i] = Field.new(arg)
end


– our fake protocol
local exproto = Proto.new("extractor", "Data Extractor")


– the new fields that contain the extracted data (one in string form, one in hex)
local exfield_string = ProtoField.new("Extracted String Value", "extractor.value.string", ftypes.STRING)
local exfield_hex    = ProtoField.new("Extracted Hex Value", "extractor.value.hex", ftypes.STRING)


– register the new fields into our fake protocol
exproto.fields = { exfield_string, exfield_hex }


function exproto.dissector(tvbuf,pktinfo,root)
local tree = nil


for i, field in ipairs(fields) do
    -- extract the field into a table of FieldInfos
    finfos = { field() }

    if #finfos > 0 then
        -- add our proto if we haven't already
        if not tree then
            tree = root:add(exproto)
        end

        for _, finfo in ipairs(finfos) do
            -- get a TvbRange of the FieldInfo
            local ftvbr = finfo.tvb
            tree:add(exfield_string, ftvbr:string(ENC_UTF_8))
            tree:add(exfield_hex,tostring(ftvbr:bytes()))
        end
    end
end



end


register_postdissector(exproto, true)

answered 30 Dec ‘14, 10:22

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

edited 30 Dec ‘14, 10:31

How can I store the result for each matched packet to a separate file? Not just store all the content into one file. Thanks

(07 Mar ‘15, 17:43) gunxueqiucjw

0

I have the same issue although I have approached it from a different way. I perform a capture using tshark and within the wireshark dissector, I read the values I want to record, in my case raw and enumerated values using tvb_get_bits8 and similar calls in doc/README.dissectors, then output these values to a data file, in my case, a comma delimited file for later perusal.

So to read these values, I have to step thru the messages thru wireshark. I ensure I do not have duplicate values by maintaining a binary array of sequence numbers so redundant messages aren't output. All sorted by time.

I admit this is a roundabout way of doing this. It works, and it's easy, but it involves stepping thru a lot of message in wireshark to get my data file.

answered 25 Feb '15, 13:45

srmafghan's gravatar image

srmafghan
62
accept rate: 0%