 | 1 | initial version |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response, like so:
*tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng *
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 2 | No.2 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response, like so:
*tshark tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng
*random-sites.pcapng
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 3 | No.3 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response, response (assuming that the server application inserts those headers as it should), like so:
tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 4 | No.4 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:
tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 5 | No.5 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:
tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 6 | No.6 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:
tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapngrandom-site.pcapng
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 7 | No.7 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:
tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-site.pcapng
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 8 | No.8 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:
tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-site.pcapng
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 9 | No.9 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937
| | 10 | No.10 Revision |
If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:
You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.
Here's a sample of the output from the tshark command above:
102669 image/gif 43
103027 image/png 298198
103465 image/png 1042
104340 image/gif 43
104404 image/png 1496505
104415 image/vnd.microsoft.icon 1680
104469 image/gif 43
104560 image/gif 43
107343 image/gif 43
107798 image/gif 43
108566 image/svg+xml 2066
108747 image/gif 37
108890 image/jpeg 13023
108981 image/png 98865
109047 image/jpeg 6428
109051 image/jpeg 937