Richard Bejtlich wrote:
> On Tue, Dec 1, 2009 at 1:17 PM, zeev mintz <zeevmintz@xxxxxxxxx> wrote:
>> Hi,
>>
>> I have captured lots of traffic, and I would like to filter out certain packets from my captures.
>> For example, I want to filter only http GET messages.
>>
>> Since I have over a thousand log files (each over 100mb), I need a fast (or some kind of automatic) way to export only the http GET messages from all the log files, into several small files (no bigger than 100mb each).
>>
>> As far as I can see, I can't filter messages during capture by the http method (GET), and there is no export feature through the wireshark terminal commands. What can i do?
>>
>> Thanks alot,
>> shalev
>
> Hello,
>
> Do you need to save the actual packet, or only the GET request messages?
>
> If you only need to save the GET requests, you can use a Tshark display filter.
>
> tshark -i wlan0 -R 'http.request.method == "GET"'
>
> 2009-12-02 12:27:29.001591 192.168.2.107 34431 172.16.2.1 3128 HTTP
> GET http://www.bejtlich.net/index.html HTTP/1.0
>
> Unfortunately, if you want to save the traffic, that method will
> record all packets because a display filter is not the same as a
> capture filter.
You should be able to post-process the capture files using tshark and a
display filter, e.g.
for capfile in *.pcap ; do
tshark -r $capfile -R 'http.request.method == "GET"' \
-w get-only-$capfile
done
If you want to filter on GET requests at capture time you could use
something like Jefferson Ogata's Big Hairy HTTP GET Filter:
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420