This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
  1. As in the main WINDOW set to display the time of the visit URL column?
  2. If the server with installed tshark, people connected on the vpn, then how to display the information in capture list of the program, who looks at a specific url?
  3. And how to display the user agent(what browser) url viewed in the log of the capture list of the program?
  4. If possible, how to display URLs of images, videos, banners and so on in capture list. That is all that load a page of the website or application?

asked 07 Jan '17, 19:08

Saldor's gravatar image

Saldor
6445
accept rate: 0%

edited 08 Jan '17, 04:26

Jaap's gravatar image

Jaap ♦
11.7k16101

I would like to clarify that I use tshark on Ubuntu, after you enter the above commands, that is what appeared.

tshark -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.user_agent -e _ws.col.Info -i _interface_number_ frame.number,_ws.col.Time,ip.src,ip.dst,tcp.srcport,tcp.dstport,http.user_agent,_ws.col.Info
Running as user "root" and group "root". This could be dangerous.
Capturing on '_interface_number_'
tshark: The capture session could not be initiated (No such device exists).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.
(09 Jan '17, 20:16) Saldor

When i run list of commands, without -i _interface_number. i get this messeage:

 tshark -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.user_agent -e _ws.col.Info frame.number,_ws.col.Time,ip.src,ip.dst,tcp.srcport,tcp.dstport,http.user_agent, _ws.col.Info
Running as user "root" and group "root". This could be dangerous.
Capturing on 'venet0'

And then nothing happens.

(09 Jan '17, 22:24) Saldor

I adapted this from a command to extract the data from a pcap file. I've certainly made one mistake as I don't think you can specify the -2 parameter on a live capture. Let me have a think and I'll get back to you.

PS: The following should work for a captured file:

tshark -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.user_agent -e _ws.col.Info -r _file_name/file_path_

(09 Jan '17, 23:30) PaulOfford

@Saldor: Your answers has been converted to a comments as that's how this site works. Please read the FAQ for more information.

(09 Jan '17, 23:37) Jaap ♦

If I understand the question correctly, you need a command like this:

"c:\Program Files\Wireshark\tshark" -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.user_agent -e _ws.col.Info -i _interface_number_

The interface number will be the one that shows the data flowing inside the VPN tunnel. This won't work for websites accessed using SSL.

Having said all of the above, it would be far easier to capture and analyse the activity using the web access log. If you are monitoring access to a Microsoft IIS web server you can read the log files into Wireshark using a free tool called TribeLab Workbench - see https://youtu.be/wHKocRR-reE

permanent link

answered 09 Jan '17, 05:09

PaulOfford's gravatar image

PaulOfford
131273237
accept rate: 11%

edited 09 Jan '17, 05:11

grahamb's gravatar image

grahamb ♦
19.8k330206

Hi Saldor,

Sorry about the mistake. I don't have Ubuntu but the following works on my Centos 7 machine:

tshark -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e col.Time -e http.user_agent -e col.Info -i _interface_number_

My Centos machine is running a rather old release of tshark (1.10.14) and at some point the names of the time and Info columns were changed I think. Try the above and we'll tweak the column labels if necessary.

permanent link

answered 09 Jan '17, 23:53

PaulOfford's gravatar image

PaulOfford
131273237
accept rate: 11%

edited 09 Jan '17, 23:54

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×29
×29

question asked: 07 Jan '17, 19:08

question was seen: 1,740 times

last updated: 10 Jan '17, 03:03

p​o​w​e​r​e​d by O​S​Q​A