using tshark and want to parse output

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
629
Using tshark to analyze pcap file.

tshark -n -r capture.pcap -Y 'http.request.uri.query contains "some search string"' -T fields -e ip.src -e http.request.uri.query

OUTPUT:
r=4&f=3&s=400:585&query=this+is+what+I need&hl=en&gl=us&c=33&d=http%3A%2F%2Fwww.jskklok.com&b=1&j=google.ip.c.j_8Ejasdassw2fDt5TLAg_3783538590_2&a=ID4​

I would like to pipe the tshark command to parse the output string. Looked into AWK but that appears to need a delimiter.

Is there a way to pipe the tshark command to a parser and only output the query= results?
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
It seems your output has a delimiter "&".

Why not try:


tshark -n -r capture.pcap -Y 'http.request.uri.query contains "some search string"' -T fields -e ip.src -e http.request.uri.query | awk -F"&" '{print $4}'

or similar
 

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
629
It seems your output has a delimiter "&".

Why not try:


tshark -n -r capture.pcap -Y 'http.request.uri.query contains "some search string"' -T fields -e ip.src -e http.request.uri.query | awk -F"&" '{print $4}'

or similar

Thanks for the reply. This would be most elegant but there are multiple &'s in various positions so doesn't always grab the correct one.
 

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
629
grep, cut and awk should give you everything you need.


board is awesome as usual. Thanks for the replies.

Ok, may not be the most efficient but this works.

tshark -n -r capture.pcap -Y 'http.request.uri.query contains "q="' -T fields -e ip.src -e http.request.uri.query | awk '{print $1,$2}' | awk -F"q=" '{print $2}' | cut -d'&' -f1


Have another problem. I need to print out the source IP, however, it is being cut off by awk. Is there a way to retain the 1st field?

This is orginal output:

Code:
field #1                field #2
192.168.1.2            r=4&f=3&s=400:585&q=this+is+what+I+need&hl=en&gl=us&c=33&d=http%3A%2F%2Fwww.jskklok.com&b=1&j=google.ip.c.j_8Ejasdassw2fDt5TLAg_3783538590_2&a=ID4
 
Last edited:

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
According to that it seems you are cutting to show the first field that is delimited by '&'. If there is a tab between the first field and the second field, you could try using ' ' as the delimiter and that should give you the first field with cut.

Although the problem is that in your second awk pipe you are only selecting items in the second field.

Basically you are saying take the output of tshark and send it to awk, print out the first 2 fields, then send that to awk again and only give me the specified output in the second field, then send that to cut and only print out the first new field delimited by &

You probably want to use && to combine some of your statements

Maybe this:

tshark -n -r capture.pcap -Y 'http.request.uri.query contains "q="' -T fields -e ip.src -e http.request.uri.query | awk '{print $1}' && awk -F"q=" '{print $2}' | cut -d'&' -f1

Really the best option here is probably to write a python script to get the accuracy you want in your output.
 
Last edited:

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
629
&& doesnt appear to work

| awk '{print $1}' && awk '{print $2}' only prints the 1st field. Any suggestions on how to get this guys to output $1 and $2 fiel
 
Joined
Dec 27, 2016
Messages
13
Are you still working on this ? I have some ideas that might help but would need to see what the sample output looks like before the script changes it.
 

PaulTech

Weaksauce
Joined
Jan 20, 2004
Messages
83
Is the parser something you have written? If so you could easily parse the .pcap binary format with a library like libpcap.
This would allow you to extract the exact information without screen-scraping the possible invalid results.
 
Top