Revision history [back]

I'm writing a script to locate and extract specific HTTP response bodies from a pcap file.

The script works in two steps - the first part locates the HTTP transactions I'm interested in. I want to extract the HTTP response body from a a sub-set of those transactions. This part is fine. I've located the http.response_number of the HTTP objects I want to extract.

The part that I'm having difficulty with is using the http.response_number to extract the HTTP response body using tshark.

The closest I've found is the --export-objects, but I can't get it to filter on a specific http.response_number

tshark -r capture.pcap --export-objects http,objs http.response_number eq 1

The output to stdout suggests that the filter is selecting what I want

  994   1.809557 xx.xx.xx.xx \u2192 10.20.228.39 HTTP/XML 773 HTTP/1.1 200 OK

but I see every object from the pcap written to disk.

Anyone know if this is possible? I'm running tshark 2.6.1

I'm writing a script to locate and extract specific HTTP response bodies from a pcap file.

The script works in two steps - the first part locates the HTTP transactions I'm interested in. I want to extract the HTTP response body from a a sub-set of those transactions. This part is fine. I've located the http.response_number of the HTTP objects I want to extract.

The part that I'm having difficulty with is using the http.response_number to extract the HTTP response body using tshark.

The closest I've found is the --export-objects, but I can't get it to filter on a specific http.response_number

tshark -r capture.pcap --export-objects http,objs http.response_number eq 1

The output to stdout suggests that the filter is selecting what I want

  994   1.809557 xx.xx.xx.xx \u2192 10.20.228.39 HTTP/XML 773 HTTP/1.1 200 OK

but I see every object from the pcap written to disk.

Anyone know if this is possible? I'm running tshark 2.6.1