Ask Your Question

pmqs's profile - activity

2019-05-30 07:38:40 +0000 marked best answer Using tshark to work out Elapsed time for HTTP Response

I need to automate the extraction of the start & end times for a series of HTTP Responses in a pcap.

Using tshark I can use the boolean field http.response to flag the start of the Response and record the frame.time_relative.

The part that looks like it needs more effort is getting the time for the frame that marks the end of the HTTP Response. I think I will need to maintain some history whilst scanning the pcap a frame at a time whilst filtering on the tcp.stream. If I encounter a new HTTP Request in the same tcp.stream (or the end of the file), the the time of the last response path frame for the tcp.stream gives me the end time for the response.

Does that sound correct, or is there an easier way to achieve the same thing with tshark or any of its command-line siblings?

2019-05-30 07:38:40 +0000 received badge  Scholar (source)
2019-05-30 07:38:22 +0000 commented answer Using tshark to work out Elapsed time for HTTP Response

Thanks - will have a look at that. I need this to run via tshark - found Batch Processing with Tshark so that should be

2019-05-29 18:51:19 +0000 asked a question Using tshark to work out Elapsed time for HTTP Response

Using tshark to work out Elapsed time for HTTP Response I need to automate the extraction of the start & end times f

2019-05-25 15:01:51 +0000 commented answer Extracting individual HTTP Response Body with tshark

I've created a ticket for this on Bugzilla

2019-05-24 12:43:28 +0000 commented answer Extracting individual HTTP Response Body with tshark

@SYN-bit - do you think that this is a bug in the Windows/MacOS implementations?

2019-05-21 21:12:24 +0000 commented answer Extracting individual HTTP Response Body with tshark

Appears Windows & MacOS have the same behaviour then.

2019-05-21 21:12:24 +0000 received badge  Commentator
2019-05-21 15:48:51 +0000 commented answer Extracting individual HTTP Response Body with tshark

The plot thickens. I put tshark on a Windows box to see if I could replicate what you are getting and I think I have. O

2019-05-21 15:22:01 +0000 commented answer Extracting individual HTTP Response Body with tshark

Interesting - when I compare the export versus http.file_data I get exactly one byte difference. The output from http.fi

2019-05-21 08:00:40 +0000 commented answer Extracting individual HTTP Response Body with tshark

Try this file -- test.pcap And run this tshark -r test.pcap -T fields -e http.file_data http.response_number eq 1

2019-05-20 14:28:34 +0000 commented answer Extracting individual HTTP Response Body with tshark

Sure. Is there a common place for uploading pcaps on this forum?

2019-05-20 14:09:08 +0000 edited answer Extracting individual HTTP Response Body with tshark

Answering my own question. After some trial and error, I found that the field http.file_data is what I'm looking for t

2019-05-20 11:15:00 +0000 commented answer Extracting individual HTTP Response Body with tshark

Yep, I know about http.response_number being per TCP. My cut-and-paste from the real command line removed too much of th

2019-05-20 07:38:25 +0000 commented answer Extracting individual HTTP Response Body with tshark

Thanks. The field http.file_data appears to be what I'm looking for.

2019-05-20 07:36:46 +0000 answered a question Extracting individual HTTP Response Body with tshark

Answering my own question. After some trial and error, I found that the field http.file_data is what I'm looking for t

2019-05-17 15:02:38 +0000 edited question Extracting individual HTTP Response Body with tshark

extracting individual HTTP response body with tshark I'm writing a script to locate and extract specific HTTP response

2019-05-17 14:59:47 +0000 asked a question Extracting individual HTTP Response Body with tshark

extracting individual HTTP response body with tshark I'm writing a script to locate and extract specific HTTP response

2019-05-09 12:46:16 +0000 commented answer Is there a field name for pcap filename?

Thanks. Will go with Plan "B" then :-)

2019-05-09 12:45:58 +0000 commented answer Is there a field name for pcap filename?

Thanks. Will go with Plan "B" than :-)

2019-05-09 12:20:25 +0000 commented question Is there a field name for pcap filename?

Updated question to add more detail

2019-05-09 12:19:33 +0000 edited question Is there a field name for pcap filename?

Is there a field name for pcap filename? I'm using a program that executes tshark to collect a series of fields from a l

2019-05-09 12:19:33 +0000 received badge  Editor (source)
2019-05-09 11:44:34 +0000 commented question Is there a field name for pcap filename?

The problem is I'm not running against a single pcap file. This is all happening within a program that invokes tshark ag

2019-05-09 11:23:20 +0000 asked a question Is there a field name for pcap filename?

Is there a field name for pcap filename? I'm using tshark to collect a series of fields from a large collection of pcap