Ask Your Question
0

Filter and add extra fields in the pcap

asked 2020-11-03 14:52:21 +0000

Hi,

I know that with wireshark/tshark i can filter and analyze specific fields for an HTTP request like http.time.

Is there an option to export the original pcap plus the extra fields from a filter in a new pcap for example for every http request and add http.time as the delay field in the raw data ?

edit retag flag offensive close merge delete

Comments

That is a generated field which Wireshark creates from data in the packet.
You could maybe store it in a packet comment if the file is saved in pcapng format.

packet-http.c
-------------

 { &hf_http_time,
   { "Time since request", "http.time",
    FT_RELATIVE_TIME, BASE_NONE, NULL, 0,
    "Time since the request was sent", HFILL }},

if (! nstime_is_unset(&(curr->req_ts))) {
    nstime_delta(&delta, &pinfo->abs_ts, &(curr->req_ts));
    pi = proto_tree_add_time(http_tree, hf_http_time, tvb, 0, 0, &delta);
    proto_item_set_generated(pi);
}
Chuckc gravatar imageChuckc ( 2020-11-03 15:08:14 +0000 )edit

Yes i need it to be saved additionally to the data from the packet for example as you said in a comment you thing that it is possible ?

akefallonitis gravatar imageakefallonitis ( 2020-11-03 15:23:49 +0000 )edit

I'm not sure what other tools you'll be using to process the pcapng, they may not handle comments.

grahamb gravatar imagegrahamb ( 2020-11-03 15:29:19 +0000 )edit

Comments or in custom http header also would be interesting option

akefallonitis gravatar imageakefallonitis ( 2020-11-03 15:30:48 +0000 )edit

Adding/appending packet comments in pcapng file with the Lua API: here they started with Lua but after discussion looks like editcap and a shell script may be a good solution.

Other ideas here

Chuckc gravatar imageChuckc ( 2020-11-03 17:38:59 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-11-03 15:00:10 +0000

grahamb gravatar image

Those fields are synthesised or inferred by the Wireshark dissector library from the traffic in the capture file and denoted as such by having "[]" around them and so cannot be saved in a pcap as that only contains the traffic as transmitted (along with some other met-information about the capture interfaces etc.).

Any recipient of the capture file can open it in their copy of Wireshark and see the same information (as long as their version of Wireshark calculates or infers the fields in the same way, we do change things occasionally).

edit flag offensive delete link more

Comments

Hey and thanks for your response. I wanted to inject http.time field or delay in the pcap and use it for further analysis

akefallonitis gravatar imageakefallonitis ( 2020-11-03 15:01:36 +0000 )edit

Usually further analysis means post-processing in which case using tshark to process the file and output exactly fields required is the way to go. The fields to output can be any Wireshark display filter field.

Look at the -T fields -e fieldname1 -e fieldname2 ... option.

grahamb gravatar imagegrahamb ( 2020-11-03 15:08:47 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-11-03 14:52:21 +0000

Seen: 59 times

Last updated: Nov 03