Wireshark-users: Re: [Wireshark-users] filter for ONLY initial get request

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 10 Aug 2010 07:36:58 +0200

On 10 aug 2010, at 04:53, Jeffs wrote:
> On 8/9/2010 10:47 PM, Jeffs wrote:
>> On 8/9/2010 11:25 AM, Sake Blok wrote:
>> 
>>> Have a look at the presentation I gave at Sharkfest'10, it shows you how you can accomplish something quite similar with Tshark and some (minor) scripting. You should be able to change the commands to your needs.
>>> 
>>> http://www.cacetech.com/sharkfest.10/A-6_Blok%20HANDS-ON%20LAB%20-%20Using%20Wireshark%20Command%20Line%20Tools%20and%20Scripting.zip
>> 
>> Question: in the wonderful example in that paper for finding the top 10
>> requested URLs, with this formula:
>> 
>> tshark -r example.cap -R http.request -T fields -e http.host -e
>> http.request.uri | sed -e 's/?.*$//' | sed -e
>> 's#^\(.*\)\t\(.*\)$#http://\1\2#' | sort | uniq -c | sort -rn | head
>> 
>> Where does one set the top "10"?  How would I change that to, say, top
>> "20" or whatever?  Or does uniq -c always just produce the top 10?
>> 
> I can now answer my own question:


TIP: During my presentation @ Sharkfest'10  I built the command sequence step by step, you might want to try that too to get a full grasp of what each step does. That way you will be able to craft your own command sequence a little easier.

Cheers,

Sake