I doubt that Tshark can output a file in apache log format, but
another program, justniffer, can read a .cap file and output in apache
log format.
I am currently using the following tshark command line to extract only
sessions with 'www.' in the link:
tshark -r test.pcap -T fields -e http.host | sed 's/?.*$//' | sed -n
'/www./p' | sort | uniq -c | sort -rn | head -n 500
but this output is not in apache log format for use by justniffer.
Can someone suggest a method to:
either use tshark to output in apache log format only data with "www."
in the data, or
use a tshark command line sequence to output a "standard" .cap file that
would contain all the usual .cap data but only for those records that
contain "www." in them.
Thanks.