Hi Guys, first post here so be gentle! I've written a script to capture traffic over our 2x new & 2x old Proxy Appliances. It simply sets a static IP, applies a Proxy, starts a 60 second capture and navigates to 3 content heavy websites, saving a cap file per scenario tested. I'm generating 39 cap files a day. What i basically want is the ability to process a directory full of cap files into a csv file detailing the http response delta of even just one http request per cap file, so i can can build a map of delays at certain times of the day on certain devices. preferably from command line. though at this stage I'm not fussed! I've tried tcpdump for win, and bash for win following this guide. As insane as that sounds its the closest guide i can find to help me out here, though i keep getting syntax errors which is possibly a porting problem. i also don't understand bash well enough to rewrite the command without the escape operators I've got the Solarwinds Response Timeviewer for Wireshark, which does almost exactly what i want, however it only processes 1 cap file at a time and has no export results or cli, requiring a fairly laborious copy and paste into excel per cap file, and to do nearly 200 a week manually will cause me to go insane. EDIT I tried the following from this article
(the specified IP being my machines IP) i got the following error:
Any help is very much appreciated! Thanks very much in advance, asked 03 Mar '15, 03:27 Bumpudll3 edited 03 Mar '15, 03:55 |
One Answer:
Use an uppercase If you list the exact values you need from the capture, then we may be able to help with a better filter and fields selection. What version of tshark are you using? answered 03 Mar '15, 04:41 grahamb ♦ |
Hi, thanks for the response. All I'm after is how long in seconds it takes between http request & response when i navigate to a particular external website, for example msn.com. I would like to then export this to a single line in a CSV so i can compare results over the course of a week.
I'm using the newest version (1.12.3)
When i change the -y to uppercase, i no longer get any errors, & it exports to CSV happily :)
the formatting of the CSV is very hard to read as IP,response time & hostname are all squashed into one line with no spaces.
can help me out with formatting?
Thanks!
Try this:
tshark-nr yourfile.pcapng -2 -Y "http.time || http.request.full_uri" -T fields -e frame.number -e http.request.full_uri -e http.response_in -e http.response.code -e http.time -e http.request_in
This gives you the frame number, then for a request the uri and the frame number of the response, or for a response, the status code and the response time and the frame number of the request.
You sir are a Hero!!! thanks v much. That's looking fantastic, can i ask 1 further question. How do I amend your response to just return 1 x particular url response time? presumably via a string filter?
Also while i have your support - is it possible to return the NAME of the source input cap file into the csv on the same line? thanks!
James
I don't think that you can easily filter on a single request uri, as that filter would then exclude the response which has the response time. I think you'll just have to post-process that.
I'm not aware of anyway to get the filename into tshark output, again a post-processing task.
There is some formatting control for the fields, have a look at the
-E
parameter, e.g.-E "separator=," -E "quote=d"
to double quote values and add a comma separator.