This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark: Custom HTTP headers

0

Hi,

Is it possible to pass custom HTTP headers fields for HTTP dissection on the CLI with tshark?

I am aware of '-o' to set preferences but the header fields appear to be stored seperately.

Many thanks

asked 04 Nov '10, 04:43

rtector's gravatar image

rtector
1224
accept rate: 0%


One Answer:

2

The custom HTTP headers are stored in a user accessible table (UAT) named custom_http_header_fields in your preferences directory. You can fill it in using Wireshark via the HTTP preferences or if you're adventurous you can create it by hand. It should be a CSV file with the field name in the first column and a description in the second column. In either case TShark will use the file.

If your custom_http_header_fields looks like this:

$ cat ~/.wireshark/custom_http_header_fields 
# This file is automatically generated, DO NOT MODIFY.
"X-Slogan","Site slogan"

You can do this:

$ tshark -r /tmp/wireshark.org.pcap -R http.header.X-Slogan
136 573  11.066907 67.228.110.120 -> 192.168.77.74 HTTP HTTP/1.1 200 OK  (text/html) 15,7680 507
173 1163  11.147269 67.228.110.120 -> 192.168.77.74 HTTP HTTP/1.1 200 OK  (text/css) 15,7680 2545
187 654  11.208029 67.228.110.120 -> 192.168.77.74 HTTP HTTP/1.1 200 OK  (application/x-javascript) 19,9728 2036
193 696  11.219131 67.228.110.120 -> 192.168.77.74 HTTP HTTP/1.1 200 OK  (PNG) 18,9216 2078

answered 04 Nov '10, 09:06

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

Hi Gerald,

Thanks for your answer, I was aware of the way Wireshark stores the custom fields when configured in the GUI.

What I am after however, is a way to specify either a set of custom definitions or a file containing those definitions at the command line as an option to tshark. This would override/supplement the stored preferences, similar to how you can use -o to override the standard preferences.

Any thoughts?

Regards

(06 Nov '10, 09:04) rtector