Wireshark-dev: Re: [Wireshark-dev] Enrich tshark data
From: Paul Offord <[email protected]>
Date: Sat, 9 Sep 2017 15:03:54 +0000



Sorry I led you astray here.


Best regards…Paul


From: Wireshark-dev [mailto:[email protected]] On Behalf Of Jaap Keuter
Sent: 09 September 2017 11:25
To: Developer support list for Wireshark <[email protected]>
Subject: Re: [Wireshark-dev] Enrich tshark data


Hi Conall,


You’re quite in the right place here to put forward these questions. I’ll have a go and try to answer them.


What you spotted is the HTTP dissector adding the HTTP status field to the protocol tree (https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-http.c;hb=HEAD#l1778)


Now we’ve to look a bit at Wireshark’s design. In its core there’s EPAN, the dissection engine. This is where the HTTP dissector lives.

The output of the dissection engine is used in various ways. In Wireshark it’s used to fill the GUI, in tshark it’s used to generate the text output. 

What format this tshark text output has is determined by the command line parameters. Then it’s up to the output routines to include the data in the selected format.

Now, the question remains how is the HTTP response code description processed by the JSON output routines. 



On 8 Sep 2017, at 15:21, Conall Prendergast <[email protected]> wrote:


Hi All,


Wireshark has the ability to enrich some of the numeric values it sees. For example, if is sees a http status code of 200, it might print "OK" beside it, because HTTP 200 means OK (This is just a guess, Im not sure what it does for HTTP status codes).


Is it possible to add this kind of enrichment to tshark's json output? 







This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com