This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to dump only IP address and http.user_agent field info?

If the packet doesn't have a http.user_agent field, don't dump any data.

If the packet does have a http.user_agent field, dump the IP address and the http.user_agent field information as follows:

tshark -r -w File1.pcapng -T fields -e ip.src -e http.user_agent -w File1.pcapng

But it's not doing what I want.

Any suggestions as to how to get it to work.

FWIW

filter http.user_agent

asked 24 Jul '16, 22:38

wbenton
29●2●2●7
accept rate: 0%

For starters remove the first '-W File1.pcapng' and replace with the filename you intend to read (not being File1.pcapng).

(24 Jul '16, 23:43) Jaap ♦

Sorry about that, when I renamed the actual file with a temporary filename, I guess I replaced too much.

The following is actually what I was trying:

tshark -r File1.pcapng -T fields -e ip.src -e http.user_agent -w File1.txt

But it outputs IP source for fields which don't have any http.user_agent field in it as well.

I only want output for fields which have the http.user_agent field in them... not for every single packet.

Any advice on how to do that?

(25 Jul '16, 17:00) wbenton

One Answer:

Add -Y http.user_agent to tshark parameters and replace the last -w with >. The expression folowing the -Y is a display filter; the -w instructs tshark to write the complete filtered packets into a new capture file, while the > tells the shell to write tshark's stdout into a (text) file.

The protocol fields specified using -e are printed independently from each other, i.e. if one of them is not present in a particular frame but the rest is, the rest is printed.

answered 25 Jul '16, 22:30

sindy
6.0k●4●8●51
accept rate: 24%

That did it...

Thanks!

(26 Jul '16, 19:15) wbenton