Wireshark · Ethereal-users: Re: [Ethereal-users] HTTP Output to a file

Ethereal-users: Re: [Ethereal-users] HTTP Output to a file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Sun, 3 Mar 2002 13:29:57 -0800

On Sun, Mar 03, 2002 at 03:34:41PM -0000, Andrew Brampton wrote:
> I've been using ethereal to monitor HTTP packets on my network.  I was
> able to get it to display a list of only HTTP Requests using some
> filters, but what I would like to do now is to save the list of
> requested sites to a log file.  For example something that looks like:
> 
> GET http://blah.com/index.html HTTP/1.0
> GET http://www.bob.com/fred.html HTTP/1.0
> POST http://www.login.com/hello.html HTTP/1.1
> 
> I have tried saving it in the different formats available, but none
> give me a standard output like so.

If by "saving it" you're referring to saving it with the "Save As..."
menu item from the "File" menu, none of them are intended to give you
any such output - they're intended to save binary dumps of the raw
packet data, not formatted output.

If you want human-readable output saved, the correct menu item to select
from "File" is "Print...", not "Save As...", and you should select
"File" from the "Print to:" item, and specify a file name.

> So has anyone got a plugin or another solutions to my problem.

A plugin won't help - "plugin" currently means only "dissector module
for a protocol, generating a protocol tree", not "arbitrary plugin to
modify arbitrary parts of Ethereal's behavior".

I would do that by

	1) loading the capture file;

	2) applying a display filter of "http.request";

	3) selecting one of the HTTP request packets now being
	   displayed;

	4) opening the "Hypertext Transfer Protocol" item in the middle
	   pane (and making sure no other items are opened);

	5) selecting "Print..." from the "File" menu;

	6) turning on "File" in the "Print" dialog box, specifying a
	   file name, and turning on "Print as displayed";

	7) writing a script (Perl, Python, sed, etc.) to scan the
	   resulting file, looking for lines that immediately follow a
	   line that says "Hypertext Transfer Protocol" at the beginning,
	   and write out or process that following line - or,
	   alternatively, for lines containing an HTTP method, indented
	   four spaces, and write out or process *that* line.

(NOTE: those lines will have a literal string such as "\r\n" at the end,
as Ethereal displays CRs and LFs in that fashion in HTTP request and
response lines, so you know whether they ended with a CR, LF, CR/LF,
etc..)

References:
- [Ethereal-users] HTTP Output to a file
  - From: Andrew Brampton

Prev by Date: [Ethereal-users] using ether real
Next by Date: [Ethereal-users] Capturing IP packets
Previous by thread: [Ethereal-users] HTTP Output to a file
Next by thread: [Ethereal-users] using ether real
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$