So by default when you open a pcap in wireshark it looks something like this.
But I want to view the name of the websites, so I have to find the host (HTTP) or :authority (HTTP2) header then apply it as a column so that I have the name of the website in my display. Once that is done I can export the pcap as a CSV with the name of the websites include CSV.
My question is how do I do this in tshark? Especially for HTTP2. There's lot's of information on how to do this for HTTP.
From the tshark man page:
-T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
...
fields The values of fields specified with the -e option, in a form specified by the -E option. For example,
tshark -T fields -E separator=, -E quote=d
So in your case, you might use something like:
tshark -r Wednesday.pcap -Y http2 -T fields -E separator=, -E quote=d -e frame.number -e frame.time_relative -e ip.src -e ip.dst -e _ws.col.Protocol -e frame.len -e http2.headers.authority -e _ws.col.Info > Wednesday.csv