Ask Your Question
0

tshark http.file_data does not work

asked 2018-07-13 07:52:33 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hello, I wanna get a size of image transactions from my pcap data. When I see the pcap file using wireshark, I can see that there is a JPEF image soundly. However, when I use tshark, http.file_data turns out some trash value --> ���� The command was:

tshark -nr ./pcap -o ssl.keylog_file:./key -Y 'frame.number==287' -T fields -e http.file_data

How can I get the right image data using tshark? Thanks for any info you can provide.

edit retag flag offensive close merge delete

Comments

I doubt the whole image is contained in just one frame (287)

Jaap gravatar imageJaap ( 2018-07-13 09:42:23 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2018-07-30 04:45:18 +0000

wesmorgan1 gravatar image

updated 2018-07-30 05:03:15 +0000

If all you want is the image type and size, you can pull them from the Content-Length and Content-Type headers of each 200 OK response (assuming that the server application inserts those headers as it should), like so:

tshark -o ssl.keylog_file:random-sites-keys -Y"http.response.code == 200 && http.content_length && (http.content_type contains "image")" -T fields -e frame.number -e http.content_type -e http.content_length -r random-site.pcapng

You need to specify http.response.code == 200 in the filter because other HTTP methods (e.g. POST) and responses (e.g. 3xx) can contain Content-Length and Content-Type headers; filtering for 200 ensures that you'll only get results for successful server responses.

Here's a sample of the output from the tshark command above:

102669  image/gif   43
103027  image/png   298198
103465  image/png   1042
104340  image/gif   43
104404  image/png   1496505
104415  image/vnd.microsoft.icon    1680
104469  image/gif   43
104560  image/gif   43
107343  image/gif   43
107798  image/gif   43
108566  image/svg+xml   2066
108747  image/gif   37
108890  image/jpeg  13023
108981  image/png   98865
109047  image/jpeg  6428
109051  image/jpeg  937
edit flag offensive delete link more

Comments

Thanks for your reply! Then, if I want complete reassembled data, what kind of a tshark command I should use?

DavidCho gravatar imageDavidCho ( 2018-08-18 20:45:47 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-07-13 07:52:33 +0000

Seen: 1,234 times

Last updated: Jul 30 '18

Related questions

Possible MSS Issue