This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to get the x-cache field in tshark ?

0

hi I have a pcap file with some packets coming from squid cache. looking at wireshark, I can view the x-cache header under the HTTP section. however, I can not find an equivalent field for tshark . I have tried composing a lua listener to extract the info myself , but the tvb field is NIL for all packets . can anyone help ?

asked 28 Dec '11, 00:32

yoav's gravatar image

yoav
86239
accept rate: 0%

do you just want to extract the text inside HTTP stating "X-Cache..."?

(28 Dec '11, 07:34) Landi

2 Answers:

3

You can add custom http header fields to the HTTP preferences setting, which will then allow you to access them (also as a filter, which won't be available without adding it to the preferences first). Gerald wrote an answer to a similar question here, which might help:

http://ask.wireshark.org/questions/816/tshark-custom-http-headers

answered 28 Dec '11, 07:43

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 28 Dec '11, 07:44

thanks ! this was well hidden - but it sure works :-)

(28 Dec '11, 22:40) yoav

0

X-Cache is not a filterable field, but you can use TShark and awk or grep:

$ tshark -r clmt_04.pcap -R "http contains X-" -O http -V | awk '/X-/ {print}' > X-.txt
$ tshark -r clmt_04.pcap -R "http contains X-" -O http -V | awk '/X-Cache/ {print}' > X-Cache1.txt
$ tshark -r clmt_04.pcap -R "http contains X-" -O http -V | grep X-Cache > X-Cache2.txt

answered 28 Dec '11, 07:39

joke's gravatar image

joke
1.3k4934
accept rate: 9%

In addition to Jasper's answer.
After adding a custom http header field:

$ tshark -r clmt_04.pcap -T fields -e frame.number -e http.header.X-Cache > http.header.X-Cache.txt
$ tshark -i 3 -T fields -e frame.number -e http.header.X-Cache -E header=y -E separator=, > http.header.X-Cache2.csv
(28 Dec '11, 13:01) joke