- Details
- Created: 26 September 2013
If you need to parse HTTP headers from a pcap file, this is a straight forward way to do it.
I saw a lot of hacks on how to do the same thing but, in my opinion, this is the easiest way.
Tshark command
tshark -V -O http -r yourfile.pcap -R "tcp && (http.response || http.request)"
Example Perl script
$result = `tshark -V -O http -r yourfile.pcap -R "tcp && (http.response || http.request)"`;
@chunks = split ("\n\n", $result);
foreach $chunk (@chunks) {
if ($chunk =~ /^Frame (\d+?):.*Hypertext Transfer Protocol\n(.*)\\r\\n\s+\\r\\n/s) {
print "## Frame: $1 ##\n$2\n###############\n\n";
}
}