1

Object: to find the IP addresses of HTTP servers in a pcap file with a specific header string. Can or should the -l option to flush be used?

One way: the following was done but am wondering if it can be shortened. If this question is too broad, please advise.

tshark -r file.pcap -T fields -e ip.src -e http.server > name.txt &&
  cat name.txt | sort | uniq -c | sort -nr | grep "xxx_xxx"
Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
stonetwigger
  • 113
  • 4

1 Answers1

1

If you want a count of the src IP addresses in the frames that also contain an HTTP response with a Server header containing xxx_xxx, you could do:

tshark -r file.pcap -T fields -e ip.src 'http.server contains "xxx_xxx"' |
  sort | uniq -c | sort -nr

See the doc for the syntax of wireshark display filters.

Some of tshark's own analysis reports (with -z) might also be useful to you like:

tshark -r file.pcap -z http_srv,tree -2R 'http.server contains "xxx_xxx"'

tshark -r file.pcap -z hosts,ip -2R 'http.server contains "xxx_xxx"'

tshark -r file.pcap -z conv,ip -2R 'http.server contains "xxx_xxx"'
Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
  • This worked perfectly. There was no need to write to a file and then to cat that file. I was sure this was the case but after a dozen attempts, couldn't find a way to eliminate the extra step. The single/double quotes confuse(d) me. Can't remember what the previous iteration of -2R is. Nicely done. – stonetwigger Oct 09 '21 at 16:38
  • For my purposes, the most significant is the -z with hosts,ip 2R but all were in many ways very relevant. I will try to combine suggestions 3 and 4. – stonetwigger Oct 09 '21 at 16:48