You can change the prefix name by redefining the HTTP::extraction_prefix variable. At the application layer, you can specify a display filter for the HTTP Host header: http.host '' At the transport layer, you can specify a port using this display filter: tcp.port 80 At the network layer, you can limit the results to an IP address using this display filter: ip.addr 93.184.216. You can filter the output to obtain only the GET requests: bro-cut id.orig_h id.resp_h method host uri 'HTTP::extract_file_type = /video/avi/'īro sniffs the MIME type of a HTTP body and if it matches the regular expression /video/avi/, it creates a file with the prefix http-item. In the list of options for the SSL protocol, you’ll see an entry for (Pre)-Master-Secret log filename. Expand Protocols, scroll down, then click SSL. The Preferences dialog will open, and on the left, you’ll see a list of items. The one you are interested in is http.log. Open Wireshark and click Edit, then Preferences. ![]() This invocation generates a bunch of log files in the current directory. Simply run it with your trace file: bro -r While this may be doable with Wireshark, it is orders of magnitude easier with Bro.
0 Comments
Leave a Reply. |