- Details
- Created: 26 September 2013
If you need to parse HTTP headers from a pcap file, this is a straight forward way to do it.
I saw a lot of hacks on how to do the same thing but, in my opinion, this is the easiest way.
Tshark command
tshark -V -O http -r yourfile.pcap -R "tcp && (http.response || http.request)"
Example Perl script
$result = `tshark -V -O http -r yourfile.pcap -R "tcp && (http.response || http.request)"`; @chunks = split ("\n\n", $result); foreach $chunk (@chunks) { if ($chunk =~ /^Frame (\d+?):.*Hypertext Transfer Protocol\n(.*)\\r\\n\s+\\r\\n/s) { print "## Frame: $1 ##\n$2\n###############\n\n"; } }