Hi, I'm using tshark to capture hostnames (http.host), source (ip.src) and destination (ip.dst) IP's, and the frame time (frame.time). I am capturing only tcp ports 80 and 443 (web traffic). The command I'm using is: tshark tcp port 80 or tcp port 443 -V -R "http.request" -Tfields -e http.host -e ip.src -e ip.dst -e frame.time Is there a way for me to pass a list of hostnames that I want to capture from a file? I understand that I could save the entire capture to a file and use grep -f to filter it after the fact. I am trying to avoid saving the entire capture to a file, and only save the hostnames that I'm interested in. For example, I have a file called interesteddomains that contains a list of domains (i.e. facebook.com, ebay.com, etc.). These domains are listed on separate lines of this file. I want to pass this list of domains (from the file) to tshark, and only capture domains that are in this file. I'm trying to pipe the realtime capture to grep, but it doesn't seem to like that (or I'm doing something wrong :)). I was wondering if I could eliminate the need to grep it and just handle the filtering in the tshark command. Any help would be appreciated! I apologize if this is confusing. Jason asked 29 Feb '12, 07:01 jbloink |
2 Answers:
There is probably some complicated awk script that you can run to build a display filter from the contents of the file. Something like:
Punctuation soup! It should produce the following (assuming www.yahoo.com and www.facebook.com are lines in that file):
Starting to look like a tshark -R display filter? That's as close I could come given a few moments, but some combination of that, and using the backticks operator in bash might get you closer. Alternately, you could whip up a quick perl or ruby script to parse the file, and output the display filter. Assuming such a magic script existed, you could build that filter like this:
Good luck! answered 01 Mar '12, 20:44 zachad edited 01 Mar '12, 20:44 |
You can use TShark with the option -T fields to create a .csv file: answered 02 Mar '12, 22:02 joke |
Thanks guys! I appreciate your help. I'll mess around a bit more and post any updates for future reference.
Jason