This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Copy multiple URIs at once

0

Hi,

Is it possible to copy multiple URIs at once in Wireshark 1.6.5?

Right now, when Wireshark displays an http GET command of interest, I select the packet, then right click on the Full Request URI under "Hypertext Transfer Protocol", "Copy", then "Value". When there are hundreds of URIs to copy, it becomes maddening.

Ideally, I would like to select the packets with ctrl+click, shift+click or ctrl+A, then right click and copy Full URIs.

Is there any way to get the full URIs faster than how I'm doing now ?

Thank you very much for your help!

asked 21 Jan '12, 18:12

Arto65's gravatar image

Arto65
1111
accept rate: 0%


3 Answers:

1

You can use TShark, one of the Wireshark tools to do the job:

-T pdml|ps|psml|text|fields  format of text output (def: text)
-e <field>                   field to print if -Tfields selected (e.g. tcp.port);
$ tshark -r clmt_04.pcap -T fields -e http.request.full_uri | sort | uniq > http.request.full_uri.txt

answered 22 Jan '12, 01:07

joke's gravatar image

joke
1.3k4934
accept rate: 9%

edited 22 Jan '12, 01:08

Thank you very much, joke!

I got it working but using this: tshark -i [mycaptureinterface] -e http.request.full_uri -Tfields -f capture.filter > f:\captureoutput.txt

It's not as good as I'd hope, but at least it's working. Do you think it would be a worthy feature to implement in Wireshark? Being able to copy one type of information from multiple packets? I, for one, would love that.

(23 Jan '12, 05:51) Arto65

0

Thank you very much, joke!

I got it working but using this: tshark -i [mycaptureinterface] -e http.request.full_uri -Tfields -f capture.filter > f:\captureoutput.txt

It's not as good as I'd hope, but at least it's working. Do you think it would be a worthy feature to implement in Wireshark? Being able to copy one type of information from multiple packets? I, for one, would love that.

answered 23 Jan '12, 05:51

Arto65's gravatar image

Arto65
1111
accept rate: 0%

0

You get a better result, when you use TShark together with sort and uniq:
$ tshark -i 4 -T fields -e http.request.full_uri | sort | uniq > http.request.full_uri4.txt.

I run cygwin on my Windows box.
It took some time, but once I had learned how to use the command line tools, I love to use them.
Just some examples:

$ tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len > test1.csv
$ tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len -E header=y -E separator=, > test2.csv
$ tshark -r test.pcap -R "frame.number<40" -T fields -e frame.number -e frame.time -e frame.time_delta -e frame.time_delta_displayed -e frame.time_relative -E header=y > test3.csv
$ tshark -r test.pcap -R "wlan.fc.type_subtype == 0x08" -T fields -e frame.number -e wlan.sa -e wlan.bssid > test4.csv
$ tshark -r test.pcap -R "ip.addr==192.168.1.6 && tcp.port==1696 && ip.addr==67.212.143.22 && tcp.port==80" -T fields -e frame.number -e tcp.analysis.ack_rtt -E header=y > test5.csv
$ tshark -r test.pcap -T fields -e frame.number -e tcp.analysis.ack_rtt -E header=y > test6.csv

BTW
You can also file an enhancement bug at Bugzilla.

answered 23 Jan '12, 11:10

joke's gravatar image

joke
1.3k4934
accept rate: 9%

What are 'sort' and 'uniq' for ? I am not sure why I need them for this specific task: I just need the URL in the order they're coming, and there are never any dupes.

Why the need for cygwin? I use cygwin for rsync for example, but what are the benefits for Tshark?

I filed an enhancement request at Bugzilla, we'll see how it goes!

Thanks again for everything!

(24 Jan '12, 01:17) Arto65
1

I converted your "answer" to a comment as that is how this site works. See the FAQ for details.

The extra commands in the pipeline fairly obviously sort the output and remove duplicates, this may be useful for some folks.

For those that have embraced PowerShell the equivalent would be:

PS C:temp> & 'tshark.exe' -r test.pcap -T fields -e http.request.full_uri | Sort-Object | Get-Unique

(24 Jan '12, 07:26) grahamb ♦