I need to automate the extraction of the start & end times for a series of HTTP Responses in a pcap.
Using tshark I can use the boolean field http.response to flag the start of the Response and record the frame.time_relative.
The part that looks like it needs more effort is getting the time for the frame that marks the end of the HTTP Response. I think I will need to maintain some history whilst scanning the pcap a frame at a time whilst filtering on the tcp.stream. If I encounter a new HTTP Request in the same tcp.stream (or the end of the file), the the time of the last response path frame for the tcp.stream gives me the end time for the response.
Does that sound correct, or is there an easier way to achieve the same thing with tshark or any of its command-line siblings?
