We could perform a similar analysis with the request URL in place of the user agent -e _uri. Using additional HTTP filters in Analysis This can be used to detect malware, old browsers on your network and scripts. Using this, we can quickly parse a pcap, even if it is very large and get a summary of all the user agents seen. tshark -r example.pcap -Y http.request -T fields -e http.host -e er_agent | sort | uniq -c | sort -n Note in this example, combining with standard shell commands allows us to sort and count the occurrences of the er_agent. Using the previous command to extract er_agent, this time extracting from a pcap rather than off the live interface. Parse User Agents and Frequency with Standard Shell Commands We could also use the parameter -E seperator=, to change the delimiter to a comma. The default separator for the fields in the output above is TAB. Tshark -i wlan0 -Y http.request -T fields -e http.host -e er_agent Mozilla/5.0 (X11 Ubuntu Linux x86_64 rv:36.0) Gecko/20100101 Firefox/36.0 Using the -T we specify we want to extract fields, and with the -e options we identify which fields we want to extract.
In the following example, we extract data from any HTTP requests that are seen. Capture Packets with Tshark tshark -i wlan0 -w capture-output.pcap Read a Pcap with Tshark tshark -r capture-output.pcap HTTP Analysis with Tshark As you can see, the syntax for capturing and reading a pcap is very similar to tcpdump. Use these as the basis for starting to build your extraction commands.
0 kommentar(er)
