Wireshark-users: Re: [Wireshark-users] The best method to extract the subset of HTTP fields from

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Vitaly Repin <vitaly.repin@xxxxxxxxx>
Date: Thu, 7 Jan 2016 00:34:44 +0200
Hello,

As of now they are standard. E.g., Referer and response body.

" it's possible for them to be added as fields (which will then appear
in pinfo)".  How can I do it?
Is it done through

 How can I add them to pinfo? Can "-T fileds, -e ..." help me here?

2016-01-06 19:52 GMT+02:00 Abhik Sarkar <sarkar.abhik@xxxxxxxxx>:
> Hi,
>
> From your question, it seems the data you wish to extract are not known
> fields. However, it's not clear what you are after. If it's non-standard
> HTTP headers you are after, it's possible for them to be added as fields
> (which will then appear in pinfo).
>
> If that works, you could either continue with your LUA tap, or you could
> also check the option of running tshark with the "-T fields" option and
> extracting specific fields (with -e) you want. See the manpage for more
> info.
>
> Hope this helps.
> Abhik.
>
> On 6 January 2016 at 20:01, Vitaly Repin <vitaly.repin@xxxxxxxxx> wrote:
>>
>> Hello,
>>
>> I am trying to extract specififc subset of HTTP fields from the live
>> stream and I need wireshark experts' advices on the best way to do
>> this.
>>
>> It looks like the following options exist:
>>
>> 1) Output packets in pdml format. Extract the fields I need from the
>> output data.
>>
>> 2) Use lua scripting to extract the data using the lua functions
>>
>> It seems to me the second method is better in terms of performance
>> (pdml output contains huge amount of data which I do not need) and it
>> should be also simpler in development.
>>
>> I have written tap in lua but I was able to extract only the fields
>> delivered through pinfo structure. The question is - how to parse tvb
>> structure?
>>
>> Can I accees parsed tvb somehow? Should I get http dissector from
>> DissectorTable.get("tcp.port"):get_dissector(80) and apply it to the
>> tvb? Could you point me to example?
>>
>> Or may be the simplest way is to create post-dissector or chained
>> dissector and do not to use tap at all?
>>
>> Thanks in advance!
>>
>> --
>> WBR & WBW, Vitaly
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    https://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



-- 
WBR & WBW, Vitaly