This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Show visited http address and “who” (ip address) who requested given url

0

Hello,

I have tried following: Statistics -> HTTP -> Load Distribution, setting the filter "tcp.port == 80", then I get in the dialog that pops up HTTP urls that were/are called in the network (promiscuous mode is of course on).

I see when someone on the network calls address by name, but I can not differentiate who called the address.

Is there any easy way how to filter out traffic on the network in form of table, which could possibly look like this?

| Time | Domain/url address visited | IP of who visited the address |

Thanks in advance for any help provided!

asked 27 Sep '15, 12:34

ddaniel's gravatar image

ddaniel
6112
accept rate: 0%

One Answer:

0

You can use tshark for that:

tshark -nr http.pcap -T fields -e frame.time -e http.request.full_uri -e ip.src -E separator=;

Regards
Kurt

answered 27 Sep '15, 23:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks for the reply but - is this tshark version specific? It tells me that "Separator" can not be used with option=value pair. Can you provide me with further assistance please?

(28 Sep '15, 01:24) ddaniel