Ask Your Question
0

How to capture filter by tshark http.request Of traffic

asked 2020-08-03 09:10:05 +0000

hahaha gravatar image

Now I use is a display filter to collect.my lan traffic is relatively large, which will lead to a large number of temporary files under / var / TMP and insufficient hard disk capacity. What I do is

tshark -i eth1 -Y http.request

The - a option cannot be added because tshark will analyze the data even if it stops collecting, and adding the - a option will cause data loss.I want to get rid of most of the irrelevant traffic directly through the capture filter so that this will not happen

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2020-08-08 13:07:05 +0000

JasMan gravatar image

First of all you should try to use dumpcap instead of tshark for a better performance.

You can then work with the advanced capture filters. According to the Wireshark site this filter should fulfill your needs to capture all HTTP GET requests:

dumpcap -i eth1 -f "tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420"

edit flag offensive delete link more
0

answered 2020-08-03 13:56:09 +0000

cmaynard gravatar image

If you're only interested in http traffic, then you could try applying a capture file of "tcp port 80", e.g.:

tshark -i eth1 -Y http.request -f "tcp port 80"

And rather than looking at the -a option, you might consider the -b and -w options instead.

edit flag offensive delete link more

Comments

I tried

tshark -i eth1 -Y http.request -f "tcp port 80"

can‘t get traffic in LAN,but with use

tshark -i eth1 -Y http.request

can get a large number of packages,like these

27240 1.171651300 1.199.192.88 → 239.255.255.250 SSDP 183 M-SEARCH * HTTP/1.1 27242 1.171831900 172.16.1.166 → 239.255.255.250 SSDP 175 M-SEARCH * HTTP/1.1 27260 1.172677600 114.239.52.120 → 1.199.195.236 HTTP 129 CONNECT my.37.com:443 HTTP/1.1 27312 1.174767500 39.107.26.95 → 106.46.4.191 HTTP 810 GET http://theta.sogoucdn.com/pc/js/fc.js... HTTP/1.1 27379 1.179422000 121.89.209.207 → 123.149.162.126 HTTP 185 CONNECT h5api.m.taobao.com:443 HTTP/1.1 27561 1.189019800 61.190.171.130 → 1.199.195.236 HTTP ...(more)

hahaha gravatar imagehahaha ( 2020-08-04 00:58:48 +0000 )edit

Well, you will need to construct a suitable capture filter that captures the traffic you're after. I provided a typical example using port 80 because that's the default port for HTTP traffic. If the HTTP traffic of interest uses a different port, then substitute 80 with whatever port is relevant. If you want SSDP traffic as well, then you may need to include something like "host 239.255.255.250" in your capture filter. Read more about capture filters on the pcap-filter man page.

cmaynard gravatar imagecmaynard ( 2020-08-04 13:58:00 +0000 )edit

The main reason is that tshark is a little slow in processing data, so I want to solve this problem by modifying the capture filter rules.There are many ports for HTTP traffic in my network, which is obviously impossible to implement with rules, because there are hundreds of hosts in my network. And I want to capture all the traffic and analyze HTTP data in real time, so I want to ask if there is any way to improve tshark's ability to process data. If the processing power is not improved, a large part of data will be lost.

hahaha gravatar imagehahaha ( 2020-08-05 00:56:47 +0000 )edit

It sounds more like you need to improve capture performance first. Perhaps the first suggestion I would make is to stop using tshark for capturing and simply use dumpcap (or tcpdump) and then post-analyze the traffic with tshark. If you want/need real-time (or semi-real-time) monitoring, then you'd have to come up with a method for having tsharkprocess one file at a time written by the capture tool once that tool is done writing to a file and moves to the next file. I'm sure something could be scripted. I'm sure there are other possible solutions as well, but this is just one idea. If your capture hardware can't keep up with the load, then you may need to invest in dedicated built-for-purpose hardware hardware, but that's typically not cheap, depending on your needs. Other tips may be found at https://wiki.wireshark.org/Performance

cmaynard gravatar imagecmaynard ( 2020-08-05 01:21:46 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-08-03 09:10:05 +0000

Seen: 5,295 times

Last updated: Aug 08 '20