Ask Your Question

Revision history [back]

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response, like so:

*tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng *

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response, like so:

*tshark tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng *random-sites.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response, response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-sites.pcapngrandom-site.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-site.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-site.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-site.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-site.pcapng
random-site.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2