Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Tshark output in apache log format

From: Jeffs <jeffs@xxxxxxxxxxxxx>
Date: Sun, 22 Aug 2010 10:59:16 -0400
Hi Joke and thank you for your reply. This prints out a text file, not a pcap standard file. Well, it seems that way to me -- if I compare that outfile to a standard .cap file they are two totally different animals.

I think I need an output that is totally .pcap.

I could very possibly be wrong on all counts as I'm new to wireshark/tshark.

On 8/20/2010 11:03 AM, j.snelders wrote:
Hi Jeffs,

You can use a display filter -R "http.host contains "www"" and write the
packets to -w outfile:
$ tshark -r infile.pcap -R "http.host contains "www"" -w outfile.pcap

Best regards
Joke

On Fri, 20 Aug 2010 09:55:26 -0400 Jeffs wrote:
  I doubt that Tshark can output a file in apache log format, but
another program, justniffer, can read a .cap file and output in apache
log format.

I am currently using the following tshark command line to extract only
sessions with 'www.' in the link:

tshark -r test.pcap -T fields -e http.host  | sed 's/?.*$//' | sed -n
'/www./p'  | sort | uniq -c | sort -rn | head -n 500

but this output is not in apache log format for use by justniffer.

Can someone suggest a method to:

either use tshark to output in apache log format only data with "www."
in the data, or

use a tshark command line sequence to output a "standard" .cap file that

would contain all the usual .cap data but only for those records that
contain "www." in them.

Thanks.