OSQA is unmaintained. Help us figure out where to go from here.

Hi,

Is it possible to copy multiple URIs at once in Wireshark 1.6.5?

Right now, when Wireshark displays an http GET command of interest, I select the packet, then right click on the Full Request URI under "Hypertext Transfer Protocol", "Copy", then "Value". When there are hundreds of URIs to copy, it becomes maddening.

Ideally, I would like to select the packets with ctrl+click, shift+click or ctrl+A, then right click and copy Full URIs.

Is there any way to get the full URIs faster than how I'm doing now ?

Thank you very much for your help!

asked 21 Jan '12, 18:12

Arto65's gravatar image

Arto65
1111
accept rate: 0%


You can use TShark, one of the Wireshark tools to do the job:

-T pdml|ps|psml|text|fields  format of text output (def: text)
-e <field>                   field to print if -Tfields selected (e.g. tcp.port);
$ tshark -r clmt_04.pcap -T fields -e http.request.full_uri | sort | uniq > http.request.full_uri.txt

permanent link

answered 22 Jan '12, 01:07

joke's gravatar image

joke
1.3k4934
accept rate: 9%

edited 22 Jan '12, 01:08

Thank you very much, joke!

I got it working but using this: tshark -i [mycaptureinterface] -e http.request.full_uri -Tfields -f capture.filter > f:\captureoutput.txt

It's not as good as I'd hope, but at least it's working. Do you think it would be a worthy feature to implement in Wireshark? Being able to copy one type of information from multiple packets? I, for one, would love that.

(23 Jan '12, 05:51) Arto65

Thank you very much, joke!

I got it working but using this: tshark -i [mycaptureinterface] -e http.request.full_uri -Tfields -f capture.filter > f:\captureoutput.txt

It's not as good as I'd hope, but at least it's working. Do you think it would be a worthy feature to implement in Wireshark? Being able to copy one type of information from multiple packets? I, for one, would love that.

permanent link

answered 23 Jan '12, 05:51

Arto65's gravatar image

Arto65
1111
accept rate: 0%

You get a better result, when you use TShark together with sort and uniq:
$ tshark -i 4 -T fields -e http.request.full_uri | sort | uniq > http.request.full_uri4.txt.

I run cygwin on my Windows box.
It took some time, but once I had learned how to use the command line tools, I love to use them.
Just some examples:

$ tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len > test1.csv

$ tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len -E header=y -E separator=, > test2.csv

$ tshark -r test.pcap -R "frame.number<40" -T fields -e frame.number -e frame.time -e frame.time_delta -e frame.time_delta_displayed -e frame.time_relative -E header=y > test3.csv

$ tshark -r test.pcap -R "wlan.fc.type_subtype == 0x08" -T fields -e frame.number -e wlan.sa -e wlan.bssid > test4.csv

$ tshark -r test.pcap -R "ip.addr==192.168.1.6 && tcp.port==1696 && ip.addr==67.212.143.22 && tcp.port==80" -T fields -e frame.number -e tcp.analysis.ack_rtt -E header=y > test5.csv

$ tshark -r test.pcap -T fields -e frame.number -e tcp.analysis.ack_rtt -E header=y > test6.csv


BTW
You can also file an enhancement bug at Bugzilla.

permanent link

answered 23 Jan '12, 11:10

joke's gravatar image

joke
1.3k4934
accept rate: 9%

What are 'sort' and 'uniq' for ? I am not sure why I need them for this specific task: I just need the URL in the order they're coming, and there are never any dupes.

Why the need for cygwin? I use cygwin for rsync for example, but what are the benefits for Tshark?

I filed an enhancement request at Bugzilla, we'll see how it goes!

Thanks again for everything!

(24 Jan '12, 01:17) Arto65
1

I converted your "answer" to a comment as that is how this site works. See the FAQ for details.

The extra commands in the pipeline fairly obviously sort the output and remove duplicates, this may be useful for some folks.

For those that have embraced PowerShell the equivalent would be:

PS C:temp> & 'tshark.exe' -r test.pcap -T fields -e http.request.full_uri | Sort-Object | Get-Unique

(24 Jan '12, 07:26) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×292
×40
×9
×5

question asked: 21 Jan '12, 18:12

question was seen: 4,329 times

last updated: 24 Jan '12, 07:26

p​o​w​e​r​e​d by O​S​Q​A