-
Notifications
You must be signed in to change notification settings - Fork 0
/
tshark-http-uri.sh
executable file
·160 lines (151 loc) · 7.06 KB
/
tshark-http-uri.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
#!/bin/bash
#
# a simple script to extract full_uri's from PCAPs
#
# part of the set tshark-hosts-conv, but
# can be used separately.
#
# Copyright (C) 2015,2020 Miroslav Rovis, <http://www.CroatiaFidelis.hr/>
# Use this at your own risk!
# released under BSD license, see LICENSE, or assume general BSD license,
#
# Used to be (2 ln):
# WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1
# TSHARK=/<some-dir>/wireshark-ninja/run/tshark
# Replaced with:
. shark2use
function show_help {
echo "tshark-http-uri.sh - dump full_uri's of a PCAP by frame number"
echo "Usage: ${0##*/} -r <PCAP file> -k <tls.keylog_file>"
echo ""
echo -e " -r \$PCAP_FILE is mandatory (but may not do it alone); see below"
echo -e " \tfor particular uses though"
echo -e " -k give the filename with the CLIENT_RANDOM... lines that belong to"
echo -e " \tthe sessions in the PCAP. If those have been logged in the file"
echo -e " \tdesignated by the \$SSLKEYLOGFILE environment variable used during"
echo -e " \tPalemoon, Firefox, or some other NSS supporting browser's run, all"
echo -e " \tproperly set, then you don't need to set this flag"
}
if [ $# -eq 0 ]; then
show_help
exit 0
fi
# Reset in case getopts has been used previously in the shell.
OPTIND=1
KEYLOGFILE=""
while getopts "hr:k:i:" opt;
do
case "$opt" in
h|\?)
show_help
exit 0
;;
r) PCAP_FILE=$OPTARG
#echo "gives: -r $PCAP_FILE (\$PCAP_FILE); since \$OPTARG: $OPTARG"
;;
k) KEYLOGFILE=$OPTARG
#echo "gives: -k $KEYLOGFILE (\$KEYLOGFILE); since \$OPTARG: $OPTARG"
;;
i) ip=$OPTARG
#echo "gives: -k $KEYLOGFILE (\$KEYLOGFILE); since \$OPTARG: $OPTARG"
;;
esac
done
if [ "$KEYLOGFILE" == "" ]; then
KEYLOGFILE=$SSLKEYLOGFILE
fi
#echo \$KEYLOGFILE: $KEYLOGFILE
ext=${PCAP_FILE##*.}
dump=${PCAP_FILE%*.pcap}
# If your SSLKEYLOGFILE is all set with the TLS keys for the PCAP, don't give a
# second argument, but if maybe it is a PCAP not taken by your system, then get
# the pertaining TLS keys and give the file containing them as second argument.
echo tshark -o \"tls.keylog_file: $KEYLOGFILE\" -q -r $dump.$ext -Y "ip.addr==$ip" -T fields \
-e \'frame.number\' -e \'http.request.full_uri\' \| grep \
-E \'^[0-9]\{1,9\}[[:space:]][[:alpha:]]\' \
\> ${dump}_${ip}-frame-http-request-full_uri.txt
if [ -n "$ip" ] && [ "X${ip}" != "X" ]; then
$TSHARK -o "tls.keylog_file: $KEYLOGFILE" -q -r $dump.$ext -Y "ip.addr==$ip" -T fields \
-e 'frame.number' -e 'http.request.full_uri' | grep \
-E '^[0-9]{1,9}[[:space:]][[:alpha:]]' \
> ${dump}_${ip}-frame-http-request-full_uri.txt
ls -l ${dump}_${ip}-frame-http-request-full_uri.txt
$TSHARK -o "tls.keylog_file: $KEYLOGFILE" -q -r $dump.$ext -Y "ip.addr==$ip" -T fields \
-e 'frame.number' -e 'http.request.uri' | grep \
-E '^[0-9]{1,9}[[:space:]]{1,9}[[:print:]]' \
> ${dump}_${ip}-frame-http-request-uri.txt
# was 2 ln above
#-E '^[0-9]{1,9}[[:space:]][[:alpha:]]' \
ls -l ${dump}_${ip}-frame-http-request-uri.txt
sed 's$\(.*\t\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' ${dump}_${ip}-frame-http-request-full_uri.txt \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*\t\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*\t\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
> ${dump}_${ip}-frame-http-request-uri.txt.BIS
if ( diff ${dump}_${ip}-frame-http-request-uri.txt \
${dump}_${ip}-frame-http-request-uri.txt.BIS ); then
rm -v ${dump}_${ip}-frame-http-request-uri.txt \
${dump}_${ip}-frame-http-request-uri.txt.BIS
fi
else
$TSHARK -o "tls.keylog_file: $KEYLOGFILE" -q -r $dump.$ext -T fields \
-e 'frame.number' -e 'http.request.full_uri' | grep \
-E '^[0-9]{1,9}[[:space:]][[:alpha:]]' \
> ${dump}-frame-http-request-full_uri.txt
ls -l ${dump}-frame-http-request-full_uri.txt
$TSHARK -o "tls.keylog_file: $KEYLOGFILE" -q -r $dump.$ext -T fields \
-e 'frame.number' -e 'http.request.uri' | grep \
-E '^[0-9]{1,9}[[:space:]]{1,9}[[:print:]]' \
> ${dump}-frame-http-request-uri.txt
ls -l ${dump}-frame-http-request-uri.txt
sed 's$\(.*\t\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' ${dump}-frame-http-request-full_uri.txt \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)https://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*\t\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)http://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*\t\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
| sed 's$\(.*,\)ftp://[0-9a-zA-Z.-]*/\(.*\)$\1/\2$' \
> ${dump}-frame-http-request-uri.txt.BIS
if ( diff ${dump}-frame-http-request-uri.txt \
${dump}-frame-http-request-uri.txt.BIS ); then
rm -v ${dump}-frame-http-request-uri.txt \
${dump}-frame-http-request-uri.txt.BIS
fi
fi