On Tue, Dec 1, 2009 at 1:17 PM, zeev mintz <zeevmintz@xxxxxxxxx> wrote:
>
> Hi,
>
> I have captured lots of traffic, and I would like to filter out certain packets from my captures.
> For example, I want to filter only http GET messages.
>
> Since I have over a thousand log files (each over 100mb), I need a fast (or some kind of automatic) way to export only the http GET messages from all the log files, into several small files (no bigger than 100mb each).
>
> As far as I can see, I can't filter messages during capture by the http method (GET), and there is no export feature through the wireshark terminal commands. What can i do?
>
> Thanks alot,
> shalev
Hello,
Do you need to save the actual packet, or only the GET request messages?
If you only need to save the GET requests, you can use a Tshark display filter.
tshark -i wlan0 -R 'http.request.method == "GET"'
2009-12-02 12:27:29.001591 192.168.2.107 34431 172.16.2.1 3128 HTTP
GET http://www.bejtlich.net/index.html HTTP/1.0
Unfortunately, if you want to save the traffic, that method will
record all packets because a display filter is not the same as a
capture filter.
You might want to use Httpry, Bro, or something similar instead.
Sincerely,
Richard