Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Tshark output in apache log format

From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Fri, 20 Aug 2010 17:03:02 +0200
Hi Jeffs,

You can use a display filter -R "http.host contains "www"" and write the
packets to -w outfile: 
$ tshark -r infile.pcap -R "http.host contains "www"" -w outfile.pcap

Best regards
Joke

On Fri, 20 Aug 2010 09:55:26 -0400 Jeffs wrote:
>  I doubt that Tshark can output a file in apache log format, but 
>another program, justniffer, can read a .cap file and output in apache 
>log format.
>
>I am currently using the following tshark command line to extract only 
>sessions with 'www.' in the link:
>
>tshark -r test.pcap -T fields -e http.host  | sed 's/?.*$//' | sed -n 
>'/www./p'  | sort | uniq -c | sort -rn | head -n 500
>
>but this output is not in apache log format for use by justniffer.
>
>Can someone suggest a method to:
>
>either use tshark to output in apache log format only data with "www." 
>in the data, or
>
>use a tshark command line sequence to output a "standard" .cap file that
>
>would contain all the usual .cap data but only for those records that 
>contain "www." in them.
>
>Thanks.