wiresharkpcaptshark

How To Extract The Name of the Level 7 HTTP2 Application in Tshark


So by default when you open a pcap in wireshark it looks something like this.

enter image description here

But I want to view the name of the websites, so I have to find the host (HTTP) or :authority (HTTP2) header then apply it as a column so that I have the name of the website in my display. Once that is done I can export the pcap as a CSV with the name of the websites include CSV.

enter image description here

My question is how do I do this in tshark? Especially for HTTP2. There's lot's of information on how to do this for HTTP.


Solution

  • From the tshark man page:

    -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text

    ...

    fields The values of fields specified with the -e option, in a form specified by the -E option. For example,

    tshark -T fields -E separator=, -E quote=d

    So in your case, you might use something like:

    tshark -r Wednesday.pcap -Y http2 -T fields -E separator=, -E quote=d -e frame.number -e frame.time_relative -e ip.src -e ip.dst -e _ws.col.Protocol -e frame.len -e http2.headers.authority -e _ws.col.Info > Wednesday.csv