Using tshark to analyze pcap file.
tshark -n -r capture.pcap -Y 'http.request.uri.query contains "some search string"' -T fields -e ip.src -e http.request.uri.query
OUTPUT:
I would like to pipe the tshark command to parse the output string. Looked into AWK but that appears to need a delimiter.
Is there a way to pipe the tshark command to a parser and only output the query= results?
tshark -n -r capture.pcap -Y 'http.request.uri.query contains "some search string"' -T fields -e ip.src -e http.request.uri.query
OUTPUT:
r=4&f=3&s=400:585&query=this+is+what+I need&hl=en&gl=us&c=33&d=http%3A%2F%2Fwww.jskklok.com&b=1&j=google.ip.c.j_8Ejasdassw2fDt5TLAg_3783538590_2&a=ID4
I would like to pipe the tshark command to parse the output string. Looked into AWK but that appears to need a delimiter.
Is there a way to pipe the tshark command to a parser and only output the query= results?