Ask Your Question

Revision history [back]

tshark: get packet numbers of exported HTTP objects

I am trying to obtain the associated packet numbers, and source and destination IPs of each exported object obtained from tshark. I am currently using a command like

tshark -r trace.pcap --export-objects "http,/tmp/"

which, of course, just gives the filenames as they appeared in the capture. I saw this other question for DICOM objects (, which gives the packet number in the exported filename, but I don't know if this is available currently for HTTP.

I am considering something like doing further parsing of the pcap to search for HTTP GET of the files in question and the associated 200 OK responses, but I don't know if that is a good way of doing this (I can think of a problem with this off the top of my head if multiple files have the same filename like favicon.ico).