I want to use tshark with this display filter "http.content_type contains html" and save each resulting reassembled packets to their own separate file, not one file for all flows. Is that possible ?
What I could come up with was
But that's not even close to what was intended. This is the graphical way to do it in wireshark
Thanks for any help.
asked 29 Dec '14, 00:38
edited 26 Dec '16, 02:56
Have you looked at the built-in export option for HTTP (File -> Export Objects -> HTTP and then choose "Save All")?
If you only need "html" objects, first filter on the html content type, then "export specified packets to disk", load the newly saved file and then go to "Export Objects".
answered 08 Mar '15, 04:16
I would think there's some way to do that, but I can't seem to find it. For most fields you can get their value using the "
So here's a way to do it using a Lua script - copy/paste the Lua script code at the bottom of this answer into a file, such as
What that will do is read in the file ("
Here's the Lua script:
answered 30 Dec ‘14, 10:22
edited 30 Dec ‘14, 10:31
I have the same issue although I have approached it from a different way. I perform a capture using tshark and within the wireshark dissector, I read the values I want to record, in my case raw and enumerated values using tvb_get_bits8 and similar calls in doc/README.dissectors, then output these values to a data file, in my case, a comma delimited file for later perusal.
So to read these values, I have to step thru the messages thru wireshark. I ensure I do not have duplicate values by maintaining a binary array of sequence numbers so redundant messages aren't output. All sorted by time.
I admit this is a roundabout way of doing this. It works, and it's easy, but it involves stepping thru a lot of message in wireshark to get my data file.
answered 25 Feb '15, 13:45