This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Currently I am using tshark with the command below to capture only packets which contain a GET request. Problem is the capture file is still to big, and reducing capture time is locked in at 1 hour captures. Does anyone know how I could modify the command below to capture only GET requests that contain ".exe" or ".jar" somewhere in them. Or if someones knows of another command-line capture utility which can do this please let me know, thanks.

cd D:\Desktop\test && tshark -f "port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420" -i 3 -b duration:3600 -b files:1 -w testing.cap

asked 01 Jan '15, 21:11

zer0day's gravatar image

zer0day
217811
accept rate: 60%


Unfortunately, that would require looping over the packet contents, and the mechanism used for capture filtering doesn't support loops (the filters are, on most OSes, interpreted in the kernel, so strict limits are placed on what they can do, so that, for example, a program can't cause an infinite loop) and doesn't have a pattern-matching primitive, so that's not possible.

permanent link

answered 02 Jan '15, 14:08

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks for the the thorough clarification, at least now I can stop beating that dead horse.

(02 Jan '15, 18:25) zer0day

Or if someones knows of another command-line capture utility which can do this please let me know, thanks.

Take a look at ngrep.

See also my answer to a similar question:

https://ask.wireshark.org/questions/23824/how-to-filter-packets-while-capturing-them-using-tcpdump-on-linux-based-on-a-diameter-avp-value

Please read the ngrep man page for the filter syntax.

Regards
Kurt

permanent link

answered 04 Jan '15, 02:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 04 Jan '15, 03:32

The machine used to capture is of the Windows 7 (x64) variety, sorry I should have stated that. And I'm looking to reduce capture size by only capturing packets that are GET requests containing ".exe" or ".jar". Filtering is no problem post capture as I convert the .cap to a text file then pull out what I need with a Powershell script, just filtering was taking over an hour cause an hourly capture is 2GB-3GB. It ended up that my above command from my first post turned out to be sufficient enough capturing only GET requests then filtering with Powershell. Thanks for the effort though.

(07 Jan '15, 18:29) zer0day

ngrep is available on Windows as well. Just google for it.

(08 Jan '15, 05:20) Kurt Knochner ♦

From the downloads page, "Windows 95, 98, NT, 2000, XP, 2003 x86 "

(08 Jan '15, 07:22) zer0day

Only because ngrep hasn't been updated since 2006, i.e. pre-Vista so the page hasn't been updated. Try it, I'd guess it will work on Win 7.

(08 Jan '15, 08:34) grahamb ♦
1

It works on Win7 64Bit!

ngrep -L
ngrep -d 4 -s 0 -O http.pcap "GET /"

See the man page for more options!

(08 Jan '15, 08:57) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×549
×349
×23
×23

question asked: 01 Jan '15, 21:11

question was seen: 4,627 times

last updated: 08 Jan '15, 08:57

p​o​w​e​r​e​d by O​S​Q​A