从Wireshark捕获中提取GET URI或其响应以分离文件 [英] Extract GET URIs or their responses from Wireshark capture to separate file(s)
问题描述
我使用Wireshark捕获HTTP视频流,并使用以下过滤器过滤掉相关的GET请求。
I use Wireshark to capture a HTTP video stream and I've use the following filter to filter out the relevant GET requests.
http.request.uri contains "identifier" && http.request.method == "GET" && ip.addr == xxx.xxx.xxx.xxx
问题
Questions
-
是否可以提取所有获取GET网址以分隔.txt文件?
Is it possible to extract all get GET URLs to separate a .txt file?
或者可以将与上面的过滤器匹配的原始响应数据包(没有标题)提取到单独的文件中,这样我最终会拥有一堆单独的视频文件?
Or is possible to extract the raw response packets (without the header) which match the filter above to separate files so that I have a bunch of individual video files eventually?
我希望自己足够清楚; - )
I hope I made myself clear enough ;-)
谢谢
推荐答案
虽然这可能适用于Wireshark,但使用兄弟。
While this may be doable with Wireshark, it is orders of magnitude easier with Bro.
只需使用跟踪文件运行它:
Simply run it with your trace file:
bro -r <trace>
此调用在当前目录中生成一堆日志文件。您感兴趣的是 http.log 。您可以过滤输出以仅获取GET请求:
This invocation generates a bunch of log files in the current directory. The one you are interested in is http.log. You can filter the output to obtain only the GET requests:
bro-cut id.orig_h id.resp_h method host uri < http.log | awk '$3 == "GET"'
示例输出:
192.168.1.104 212.96.161.238 GET update.avg.com /softw/90/update/avg9infowin.ctf
192.168.1.104 77.67.44.206 GET backup.avg.cz /softw/90/update/u7avi1777u1705ff.bin
192.168.1.104 198.189.255.75 GET aa.avg.com /softw/90/update/u7iavi2511u2510ff.bin
192.168.1.104 77.67.44.206 GET backup.avg.cz /softw/90/update/x8xplsb2_118c8.bin
如你所见,最后两列构成完整的URL。要删除其间的空格,可以使用awk连接最后两个字段。
As you can see, the last two columns make up the full URL. To remove the space in-between, you could use awk to concatenate the last two fields.
注意:即将推出的Bro 2.1版本将对文件提取进行重大改进。在此之前,您可以通过指定要存储的文件的MIME类型从HTTP流中提取所有文件:
Note: the upcoming Bro 2.1 release will have major improvements for file extractions. Until then, you can extract all files from a HTTP stream by specifying the MIME type of the files to store:
bro -r <trace> 'HTTP::extract_file_type = /video\/avi/'
Bro嗅探a的MIME类型HTTP正文,如果它匹配正则表达式 / video \ / avi / ,它会创建一个前缀 http-item 。您可以通过重新定义 HTTP :: extraction_prefix 变量来更改前缀名称。
Bro sniffs the MIME type of a HTTP body and if it matches the regular expression /video\/avi/, it creates a file with the prefix http-item. You can change the prefix name by redefining the HTTP::extraction_prefix variable.
这篇关于从Wireshark捕获中提取GET URI或其响应以分离文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
