This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How capture in tshark, time of the visit url, who looks at a specific url ….

0
  1. As in the main WINDOW set to display the time of the visit URL column?
  2. If the server with installed tshark, people connected on the vpn, then how to display the information in capture list of the program, who looks at a specific url?
  3. And how to display the user agent(what browser) url viewed in the log of the capture list of the program?
  4. If possible, how to display URLs of images, videos, banners and so on in capture list. That is all that load a page of the website or application?

asked 07 Jan '17, 19:08

Saldor's gravatar image

Saldor
6445
accept rate: 0%

edited 08 Jan '17, 04:26

Jaap's gravatar image

Jaap ♦
11.7k16101

I would like to clarify that I use tshark on Ubuntu, after you enter the above commands, that is what appeared.

tshark -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.user_agent -e _ws.col.Info -i _interface_number_ frame.number,_ws.col.Time,ip.src,ip.dst,tcp.srcport,tcp.dstport,http.user_agent,_ws.col.Info
Running as user "root" and group "root". This could be dangerous.
Capturing on '_interface_number_'
tshark: The capture session could not be initiated (No such device exists).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.
(09 Jan '17, 20:16) Saldor

When i run list of commands, without -i _interface_number. i get this messeage:

 tshark -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.user_agent -e _ws.col.Info frame.number,_ws.col.Time,ip.src,ip.dst,tcp.srcport,tcp.dstport,http.user_agent, _ws.col.Info
Running as user "root" and group "root". This could be dangerous.
Capturing on 'venet0'

And then nothing happens.

(09 Jan '17, 22:24) Saldor

I adapted this from a command to extract the data from a pcap file. I've certainly made one mistake as I don't think you can specify the -2 parameter on a live capture. Let me have a think and I'll get back to you.

PS: The following should work for a captured file:

tshark -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.user_agent -e _ws.col.Info -r _file_name/file_path_

(09 Jan '17, 23:30) PaulOfford

@Saldor: Your answers has been converted to a comments as that's how this site works. Please read the FAQ for more information.

(09 Jan '17, 23:37) Jaap ♦

2 Answers:

0

If I understand the question correctly, you need a command like this:

"c:\Program Files\Wireshark\tshark" -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.user_agent -e _ws.col.Info -i _interface_number_

The interface number will be the one that shows the data flowing inside the VPN tunnel. This won't work for websites accessed using SSL.

Having said all of the above, it would be far easier to capture and analyse the activity using the web access log. If you are monitoring access to a Microsoft IIS web server you can read the log files into Wireshark using a free tool called TribeLab Workbench - see https://youtu.be/wHKocRR-reE

answered 09 Jan '17, 05:09

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%

edited 09 Jan '17, 05:11

grahamb's gravatar image

grahamb ♦
19.8k330206

0

Hi Saldor,

Sorry about the mistake. I don't have Ubuntu but the following works on my Centos 7 machine:

tshark -q -ta -T fields -E separator=, -E quote=d -E header=y -Y http.request.method -e col.Time -e http.user_agent -e col.Info -i _interface_number_

My Centos machine is running a rather old release of tshark (1.10.14) and at some point the names of the time and Info columns were changed I think. Try the above and we'll tweak the column labels if necessary.

answered 09 Jan '17, 23:53

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%

edited 09 Jan '17, 23:54