From f3aa7bcc59bd4cd697a84009bb8e447ee5b78fcd Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Mon, 29 Sep 2014 14:51:04 +0200 Subject: tshark-http2urls.awk: helper to retrieve HTTP info Prints Last-Modified, Content-Length and URL for tshark -O http output. Used for analyzing a vc_web install capture. --- tshark-http2urls.awk | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100755 tshark-http2urls.awk (limited to 'tshark-http2urls.awk') diff --git a/tshark-http2urls.awk b/tshark-http2urls.awk new file mode 100755 index 0000000..3103c8e --- /dev/null +++ b/tshark-http2urls.awk @@ -0,0 +1,62 @@ +#!/usr/bin/awk -f +# Shows URLs from a tshark -O http dump +BEGIN { + FS = "[ :]+"; + OFS = "\t"; +} +function find(regex, haystack) { + haystack = $0; + regex = "^ *\\[" regex ": "; + if (haystack ~ regex) { + sub(regex, "", haystack); sub(/\]$/, "", haystack); + $0 = haystack; + return 1; + } + return 0; +} + +/^Frame / { + frame_no = $2; + in_request = 0; + in_response = 0; +} +next_http { + if ($2 ~ /^HTTP\//) { # response + if ($3 == 200) { + in_request = 0; + in_response = 1; + } + } else { # request + if ($2 == "GET") { + in_request = 1; + in_response = 0; + } + } + next_http = 0; +} +/^Hypertext Transfer Protocol/ { next_http = 1; } + +in_request && find("Full request URI") { + urls[frame_no] = $0; +} +in_response { + n = split("Content-Length Last-Modified", header_names, " "); + for (i = 1; i <= n; i++) { + header_name = header_names[i]; + if ($2 == header_name) { + sub("^ *" header_name ": ", ""); sub(/\\r\\n$/, ""); + headers[header_name, frame_no] = $0; + } + } +} +# Print response if a request matched this frame number +in_response && find("Request in frame") && urls[$1] { + req_frame_no = $1; + #printf("%-7d ", frame_no); + printf("%10d %-29s %s\n", + headers["Content-Length", frame_no], + headers["Last-Modified", frame_no], + urls[req_frame_no]); +} + +# vim: set sw=4 et ts=4: -- cgit v1.2.1