Hi Jeffs,
Did you use the option -w outfile?
See tshark -h or the manpage:
http://www.wireshark.org/docs/man-pages/tshark.html
-w <outfile> | -
Write raw packet data to outfile or to the standard output if outfile
is '-'.
NOTE: -w provides raw packet data, not text. If you want text output
you need to redirect stdout (e.g. using '>'), don't use the -w option for
this.
Best regards
Joke
On Sun, 22 Aug 2010 10:59:16 -0400 Jeffs wrote:
> Hi Joke and thank you for your reply. This prints out a text file,
>not a pcap standard file. Well, it seems that way to me -- if I compare
>
>that outfile to a standard .cap file they are two totally different animals.
>
>I think I need an output that is totally .pcap.
>
>I could very possibly be wrong on all counts as I'm new to wireshark/tshark.
>
>On 8/20/2010 11:03 AM, j.snelders wrote:
>> Hi Jeffs,
>>
>> You can use a display filter -R "http.host contains "www"" and write the
>> packets to -w outfile:
>> $ tshark -r infile.pcap -R "http.host contains "www"" -w outfile.pcap
>>
>> Best regards
>> Joke
>>
>> On Fri, 20 Aug 2010 09:55:26 -0400 Jeffs wrote:
>>> I doubt that Tshark can output a file in apache log format, but
>>> another program, justniffer, can read a .cap file and output in apache
>>> log format.
>>>
>>> I am currently using the following tshark command line to extract only
>>> sessions with 'www.' in the link:
>>>
>>> tshark -r test.pcap -T fields -e http.host | sed 's/?.*$//' | sed -n
>>> '/www./p' | sort | uniq -c | sort -rn | head -n 500
>>>
>>> but this output is not in apache log format for use by justniffer.
>>>
>>> Can someone suggest a method to:
>>>
>>> either use tshark to output in apache log format only data with "www."
>>> in the data, or
>>>
>>> use a tshark command line sequence to output a "standard" .cap file that
>>>
>>> would contain all the usual .cap data but only for those records that
>>> contain "www." in them.
>>>
>>> Thanks.
>>
>>
>>
>>
>>
>>
>
