wireshark
I have some .pcap from which I would like to extract all http headers.
By using the filters I'm able to display only Http requests but what I would like is to be able to extract/display/print/export the headers for each requests.
Can I do that with Wireshark or should I parse the .pcap file myself ?
Thanks a lot
You can load the packet trace in Wireshark, and apply the filter
tcp.flags.ecn==1
to see only packets with the ECN-Echo bit set in the TCP header, and
tcp.flags.cwr==1
to see only the packets with the ECN-CWR (Congestion Window Reduced) bit set in the TCP header.
Here is the list of TCP filters in Wireshark.
You may also be interested in filtering on ECN-CE flags in the IP header, which you can do with
ip.dsfield.ecn == 0x03
Here is the list of IP filters in Wireshark.
To see what it should look like, you can download this sample capture from the Wireshark Sample Captures page. This capture includes packets with ECN events.
Honestly, this solution isn't ideal because the tool you're using isn't ideal. I get that this is something you're just exploring and trying to understand, I would simply advise against using it as a go-to method in the future. Using the CLI with tcpdump or tshark will afford you much greater filtering abilities as it allows you to use things like sed, awk, grep, etc.
While I don't know anything about Netdisco, I suspect that it isn't using the exact method that Wireshark is using to filter things, so this may not be the best example.
The correct solution to achieve exactly what you want inside Wireshark is to build a packet dissector:
https://www.wireshark.org/docs/wsdg_html_chunked/ChapterDissection.html
However, for the quick and dirty, which is what it sounds like you want:
I took an identical capture using one of the boxes in my lab, if you're looking for just IP address:
snmp.value.ipv4 (or snmp.value.ipv6)
This will display any packets with IPv4 address values returned in the responses. However, because address and subnet mask are passed back in the same format, you will have to be able to discern which are real addresses and which are subnet masks.
In addition, you can break out the addresses (and masks) into their own column, then sort them in order which should leave all of the subnet masks at the bottom of the list.
First: Right Click the specific field you want to build into a column, in our case it's the IpAddress Value:
Second: Sort. (Apologies on the image scale)
I hope this helps.
Best Answer
I often do that by using either one of two following options:
Go to Edit - Preferences - Appearance - Column, on the right hand side, click '+' button to define your new column. Name your new column (Title), choose Type as "Custom" and enter the Fields you want to get the information of. Below screenshot is what we have with
http.hostheader field.http.hostheader field from http_only pcap file which we used in first option above.C:\Program Files\Wireshark>tshark -r http_only.pcapng -T fields -e "http.host" > http_host_only.txtI hope it is useful.