Copy multiple URIs at once

Question

Hi,

Is it possible to copy multiple URIs at once in Wireshark 1.6.5?

Right now, when Wireshark displays an http GET command of interest, I select the packet, then right click on the Full Request URI under "Hypertext Transfer Protocol", "Copy", then "Value". When there are hundreds of URIs to copy, it becomes maddening.

Ideally, I would like to select the packets with ctrl+click, shift+click or ctrl+A, then right click and copy Full URIs.

Is there any way to get the full URIs faster than how I'm doing now ?

Thank you very much for your help!

Answer 1

You can use TShark, one of the Wireshark tools to do the job:

-T pdml|ps|psml|text|fields  format of text output (def: text)
-e <field>                   field to print if -Tfields selected (e.g. tcp.port);

$ tshark -r clmt_04.pcap -T fields -e http.request.full_uri | sort | uniq > http.request.full_uri.txt

Answer 2

Thank you very much, joke!

I got it working but using this: tshark -i [mycaptureinterface] -e http.request.full_uri -Tfields -f capture.filter > f:\captureoutput.txt

It's not as good as I'd hope, but at least it's working. Do you think it would be a worthy feature to implement in Wireshark? Being able to copy one type of information from multiple packets? I, for one, would love that.

Answer 3

You get a better result, when you use TShark together with sort and uniq:
$ tshark -i 4 -T fields -e http.request.full_uri | sort | uniq > http.request.full_uri4.txt.

I run cygwin on my Windows box.
It took some time, but once I had learned how to use the command line tools, I love to use them.
Just some examples:

$ tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len > test1.csv
$ tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len -E header=y -E separator=, > test2.csv
$ tshark -r test.pcap -R "frame.number<40" -T fields -e frame.number -e frame.time -e frame.time_delta -e frame.time_delta_displayed -e frame.time_relative -E header=y > test3.csv
$ tshark -r test.pcap -R "wlan.fc.type_subtype == 0x08" -T fields -e frame.number -e wlan.sa -e wlan.bssid > test4.csv
$ tshark -r test.pcap -R "ip.addr==192.168.1.6 && tcp.port==1696 && ip.addr==67.212.143.22 && tcp.port==80" -T fields -e frame.number -e tcp.analysis.ack_rtt -E header=y > test5.csv
$ tshark -r test.pcap -T fields -e frame.number -e tcp.analysis.ack_rtt -E header=y > test6.csv

BTW
You can also file an enhancement bug at Bugzilla.