This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark filter from a file

1

Hi, I'm using tshark to capture hostnames (http.host), source (ip.src) and destination (ip.dst) IP's, and the frame time (frame.time). I am capturing only tcp ports 80 and 443 (web traffic). The command I'm using is: tshark tcp port 80 or tcp port 443 -V -R "http.request" -Tfields -e http.host -e ip.src -e ip.dst -e frame.time

Is there a way for me to pass a list of hostnames that I want to capture from a file? I understand that I could save the entire capture to a file and use grep -f to filter it after the fact. I am trying to avoid saving the entire capture to a file, and only save the hostnames that I'm interested in.

For example, I have a file called interesteddomains that contains a list of domains (i.e. facebook.com, ebay.com, etc.). These domains are listed on separate lines of this file. I want to pass this list of domains (from the file) to tshark, and only capture domains that are in this file.

I'm trying to pipe the realtime capture to grep, but it doesn't seem to like that (or I'm doing something wrong :)). I was wondering if I could eliminate the need to grep it and just handle the filtering in the tshark command.

Any help would be appreciated! I apologize if this is confusing.

Jason

asked 29 Feb '12, 07:01

jbloink's gravatar image

jbloink
16113
accept rate: 0%


2 Answers:

2

There is probably some complicated awk script that you can run to build a display filter from the contents of the file. Something like:

cat domains.txt | awk '{printf(" http.host==\\"%s\\" && ", $1)}'

Punctuation soup! It should produce the following (assuming www.yahoo.com and www.facebook.com are lines in that file):

http.host=="www.yahoo.com" &&  http.host=="www.facebook.com" &&

Starting to look like a tshark -R display filter? That's as close I could come given a few moments, but some combination of that, and using the backticks operator in bash might get you closer.

Alternately, you could whip up a quick perl or ruby script to parse the file, and output the display filter. Assuming such a magic script existed, you could build that filter like this:

tshark [your options] -R "`./magic-script.rb domains.txt` && http.request" -T fields -e [etc...]

Good luck!

answered 01 Mar '12, 20:44

zachad's gravatar image

zachad
331149
accept rate: 21%

edited 01 Mar '12, 20:44

Thanks guys! I appreciate your help. I'll mess around a bit more and post any updates for future reference.

Jason

(06 Mar '12, 07:53) jbloink

1

You can use TShark with the option -T fields to create a .csv file:
$ tshark -r clmt\_04.pcap -T fields -e http.host | sort | uniq | sort > http.host.csv
$ tshark -r clmt\_04.pcap -T fields -e http.request.full\_uri | sort | uniq | sort > http.request.full_uri.csv

answered 02 Mar '12, 22:02

joke's gravatar image

joke
1.3k4934
accept rate: 9%