pretty

Sunday, April 22, 2012

Tshark one liners


Show uris

tshark -T fields -e http.request.uri | grep -v “^$”

Unique urls

tshark -r sample.pcap -R http.request -T fields -e http.host -e http.request.uri | sort -u

Top ten urls from (http://goo.gl/qd5aI)

tshark -r sample1.cap -R http.request 
-T fields -e http.host -e http.request.uri |
sed -e 's/?.*$//' |
sed -e 's#^\(.*\)\t\(.*\)$#http://\1\2#' |
sort | uniq -c | sort -rn | head


List user agents

sudo tshark -nn -r capture_file.pcap -Tfields -e ip.src -e http.user_agent -R "http.user_agent"


List conversations 



tshark -r sample.pcap  -tad -R"tcp" -o column.format:'"Time","%t", "Source", "%s","Destination", "%d"'


tshark -r samples.cap -q -z conv,tcp


HTTP statistics

tshark -q -z http,stat, -z http,tree -r sample.pcap

DNS


Show responses

tshark -tad -r lupus.pcap -R dns.flags.response==1

Posted by at
Labels: ,

2 comments:

  1. 2cool2touchFebruary 15, 2013 at 4:59 PM

    where did u find the http,tree option. There are 2 other http options available in UI of wireshark. Do you know what is the tshark equivalent?

    Wireshark UI > Statistics > HTTP >

    Packet Counter -------> http,tree
    Requests -------------> ???
    Load Distribution ----> ???

    ReplyDelete
  2. DirumFebruary 22, 2013 at 11:45 PM

    Try this

    Packet Counter -------> http,tree
    Requests -------------> -zhttp_req,tree
    Load Distribution ----> -zhttp_srv,tree


    ReplyDelete

Subscribe to: Post Comments (Atom)