0

On Tshark v. 3.0.5., I am trying to run these commands in order to select URLs typed directly from the user. So I need to exclude http.referer filed that are empty (on null).

tshark -Y "http.request == 1 and **!http.referer**" -T fields -e frame.time -e http.referer -e http.host -r traffic.pcap > no_referer.txt
bash: !http.referer: event not found

tshark -Y "http.request == 1 and **http.referer == ""**" -T fields -e frame.time -e http.referer -e http.host -r traffic.pcap > no_referer.txt
Running as user "root" and group "root". This could be dangerous.
tshark: Unexpected end of filter string.

Do you have any idea about how can I select this data on tshark?

user2965031
  • 61
  • 2
  • 7

1 Answers1

2

Bash will expand ** in your display filter to something you probably don't want because you are using double quotes. You can use single quotes to ensure that bash doesn't change the contents of the display filter.

Per wireshark http docs, http.referer is a string, so checking against empty values is checking against "". So use http.referer and !http.referer == "" to get packets that have this field, but also where the field is not empty.

tshark -Y 'http.request == 1 and http.referrer and !http.referer == ""' ...

Note: field != value and !field == value are different, and the latter is preferred. dftest can be used to demonstrate why this is.

Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27