This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I'm using tshark to capture hostnames (http.host), source (ip.src) and destination (ip.dst) IP's, and the frame time (frame.time). I am capturing only tcp ports 80 and 443 (web traffic). The command I'm using is: tshark tcp port 80 or tcp port 443 -V -R "http.request" -Tfields -e http.host -e ip.src -e ip.dst -e frame.time

Is there a way for me to pass a list of hostnames that I want to capture from a file? I understand that I could save the entire capture to a file and use grep -f to filter it after the fact. I am trying to avoid saving the entire capture to a file, and only save the hostnames that I'm interested in.

For example, I have a file called interesteddomains that contains a list of domains (i.e. facebook.com, ebay.com, etc.). These domains are listed on separate lines of this file. I want to pass this list of domains (from the file) to tshark, and only capture domains that are in this file.

I'm trying to pipe the realtime capture to grep, but it doesn't seem to like that (or I'm doing something wrong :)). I was wondering if I could eliminate the need to grep it and just handle the filtering in the tshark command.

Any help would be appreciated! I apologize if this is confusing.

Jason

asked 29 Feb '12, 07:01

jbloink's gravatar image

jbloink
16113
accept rate: 0%


There is probably some complicated awk script that you can run to build a display filter from the contents of the file. Something like:

cat domains.txt | awk '{printf(" http.host==\\"%s\\" && ", $1)}'

Punctuation soup! It should produce the following (assuming www.yahoo.com and www.facebook.com are lines in that file):

http.host=="www.yahoo.com" &&  http.host=="www.facebook.com" &&

Starting to look like a tshark -R display filter? That's as close I could come given a few moments, but some combination of that, and using the backticks operator in bash might get you closer.

Alternately, you could whip up a quick perl or ruby script to parse the file, and output the display filter. Assuming such a magic script existed, you could build that filter like this:

tshark [your options] -R "`./magic-script.rb domains.txt` && http.request" -T fields -e [etc...]

Good luck!

permanent link

answered 01 Mar '12, 20:44

zachad's gravatar image

zachad
331149
accept rate: 21%

edited 01 Mar '12, 20:44

Thanks guys! I appreciate your help. I'll mess around a bit more and post any updates for future reference.

Jason

(06 Mar '12, 07:53) jbloink

You can use TShark with the option -T fields to create a .csv file:
$ tshark -r clmt\_04.pcap -T fields -e http.host | sort | uniq | sort > http.host.csv
$ tshark -r clmt\_04.pcap -T fields -e http.request.full\_uri | sort | uniq | sort > http.request.full_uri.csv

permanent link

answered 02 Mar '12, 22:02

joke's gravatar image

joke
1.3k4934
accept rate: 9%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×349
×91

question asked: 29 Feb '12, 07:01

question was seen: 7,752 times

last updated: 06 Mar '12, 09:45

p​o​w​e​r​e​d by O​S​Q​A