Ask Your Question

tshark: get packet numbers of exported HTTP objects

asked 2020-06-17 16:02:48 +0000

I am trying to obtain the associated packet numbers, and source and destination IPs of each exported object obtained from tshark. I am currently using a command like

tshark -r trace.pcap --export-objects "http,/tmp/"

which, of course, just gives the filenames as they appeared in the capture. I saw this other question for DICOM objects (, which gives the packet number in the exported filename, but I don't know if this is available currently for HTTP.

I am considering something like doing further parsing of the pcap to search for HTTP GET of the files in question and the associated 200 OK responses, but I don't know if that is a good way of doing this (I can think of a problem with this off the top of my head if multiple files have the same filename like favicon.ico).

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-06-17 19:27:02 +0000

Chuckc gravatar image

There was a proposed patch that wasn't accepted.

The patch adds packet number to the filename and changes the extention according to the Content-Type.

Might be worth opening an enhancement request in Bugzilla

Until then looks like a programming/scripting exercise to get your data.

edit flag offensive delete link more


The referenced change was more about solving the issue of illegal characters when converting the URL path to a filename, and using the packet number was one option that wasn't really considered in the later work.

I think this does warrant an enhancement request.

@pptenshi, post a comment back here with the enhancement request link so that others looking for the answer to this question can follow it up.

grahamb gravatar imagegrahamb ( 2020-06-17 19:50:19 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-06-17 16:02:48 +0000

Seen: 35 times

Last updated: Jun 17