This bash tip can be useful when trying to extract all HTTP requests from PCAP generated traces.
First, use this command to generate the pcap file :
# tcpdump -s 0 -w trace.pcap
The option -s 0 enables capture of the whole packets and not only the first 64 bytes of each. With the -w trace.pcap parameter, raw captured data are written to the trace.pcap file.
FIELDS=(
tcp.stream
http.request.method http.request.uri http.request.version
http.request.line
http.response.version http.response.code http.response.phrase
http.response.line
http.file_data
)
tshark -r trace.pcap -T fields -Y http ${FIELDS[@]/#/-e$IFS} |
awk -v FS=$'\t' '
{
output = $1 ".http";
n = $2 ? 2 : 6
if (OUTPUTS[output]) printf("") >> output;
else {printf("") > output; OUTPUTS[output] = 1; }
printf("%s %s %s\n", $n, $(n+1), $(n+2)) >> output;
printf("%s\n", gensub("(\\\\r\\\\n,?)+", "\n", "g", $(n+3))) >> output;
if (substr($10,1,1) == "<") {
fflush(output);
close(output);
xmlstarlet = "xmlstarlet fo - >> "output;
printf("%s\n", gensub("\\\\n", "\n", "g", $10)) | xmlstarlet;
close(xmlstarlet);
printf("") >> output;
}
else
printf("%s\n", $10) >> output;
printf("\n--\n\n") >> output;
close(output);
}
'
This script is using :
- tshark, the wireshark cli (https://www.wireshark.org/docs/man-pages/tshark.html)
- xmlstartlet, command line tool to work with XML (http://xmlstar.sourceforge.net/)
- awk, the famous (https://en.wikipedia.org/wiki/AWK)
- and just a little Bash (https://en.wikipedia.org/wiki/Bash_(Unix_shell))
With a sample downloaded at https://www.cloudshark.org/captures/74a6deb7aa4e, the result is :
$ ls -l *.http -rw-rw-r-- 1 john dev 78407 Jan 26 13:55 0.http -rw-rw-r-- 1 john dev 9089 Jan 26 13:55 1.http -rw-rw-r-- 1 john dev 8307 Jan 26 13:55 2.http -rw-rw-r-- 1 john dev 82888 Jan 26 13:55 3.http -rw-rw-r-- 1 john dev 91637 Jan 26 13:55 4.http -rw-rw-r-- 1 john dev 6733 Jan 26 13:55 5.http
$ cat 5.http
POST /ReportingWebService/ReportingWebService.asmx HTTP/1.1
Accept: text/xml
Content-Type: text/xml
SOAPAction: "http://www.microsoft.com/SoftwareDistribution/ReportEventBatch"
User-Agent: Windows-Update-Agent
Host: asupdt
Content-Length: 4318
Connection: Keep-Alive
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<ReportEventBatch xmlns="http://www.microsoft.com/SoftwareDistribution">
<cookie>
<Expiration>2012-06-26T21:26:32.995Z</Expiration>
...
</ReportEventBatch>
</soap:Body>
</soap:Envelope>
--
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 26 Jun 2012 20:32:05 GMT
Content-Length: 406
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<ReportEventBatchResponse xmlns="http://www.microsoft.com/SoftwareDistribution">
<ReportEventBatchResult>true</ReportEventBatchResult>
</ReportEventBatchResponse>
</soap:Body>
</soap:Envelope>
It is now easy to use grep, wc and sort on data.
$ grep "500 Error" *.http | wc -l 3
Now, try to do the same with REST requests !
