Export HTTP Objects in Tshark

Introduction

In this lab, you will learn how to use Wireshark's command-line tool tshark to analyze HTTP traffic and extract transferred objects from packet captures. You'll practice key commands like -r for reading capture files and --export-objects for retrieving HTTP content such as images or documents.

The exercises will guide you through exporting HTTP objects from a pre-captured file (http.pcap) to a local directory, filtering specific requests, and inspecting the extracted files. These practical techniques are essential for network traffic analysis and forensic investigations.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/export_packets("Exporting Packets") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/display_filters -.-> lab-548925{{"Export HTTP Objects in Tshark"}} wireshark/export_packets -.-> lab-548925{{"Export HTTP Objects in Tshark"}} wireshark/packet_analysis -.-> lab-548925{{"Export HTTP Objects in Tshark"}} wireshark/commandline_usage -.-> lab-548925{{"Export HTTP Objects in Tshark"}} end

Open HTTP Capture with -r http.pcap

In this step, you will learn how to open and examine a pre-captured HTTP traffic file using Wireshark's command-line tool tshark. This is particularly useful when you need to analyze saved network traffic data without capturing live packets.

Before we begin, let's understand some basics:

A .pcap file is a common format for storing network packet data
tshark is the command-line version of Wireshark, allowing packet analysis without GUI
HTTP traffic typically shows web requests and responses between clients and servers

First, ensure you're in the correct directory where our sample capture file is located:

cd ~/project

The -r option in tshark is crucial here - it stands for "read" and allows you to analyze packet data from a saved file instead of capturing live traffic. We'll use a sample capture file named http.pcap that contains typical HTTP web traffic.

To open and display the contents of the capture file, run:

tshark -r http.pcap

This command will display the packet list directly in your terminal. Each line represents one network packet with several important fields:

Packet number: The sequence number of the packet in the capture
Timestamp: When the packet was captured (in seconds)
Source IP: Where the packet came from
Destination IP: Where the packet is going
Protocol: The network protocol being used (HTTP in our case)
Packet length: Size of the packet in bytes
Info: Brief details about the packet contents

For example, you might see output like this showing a typical HTTP request and response:

1 0.000000 192.168.1.100 → 192.168.1.1 HTTP GET /index.html HTTP/1.1
2 0.000123 192.168.1.1 → 192.168.1.100 HTTP HTTP/1.1 200 OK (text/html)

The first line shows a client (192.168.1.100) requesting a webpage, while the second line shows the server's successful response. This basic view helps you quickly understand the traffic flow.

To exit the packet view when you're done examining the data, simply press Ctrl+C. This will return you to the command prompt.

Export Objects with --export-objects http,./objects

In this step, we'll explore how to extract files transferred over HTTP from a packet capture. When you capture network traffic containing HTTP communications, files like images, PDFs, or scripts are transmitted as binary objects within the HTTP protocol. Tshark provides a convenient way to extract these files for analysis.

First, let's navigate to the project directory where our packet capture file is stored. This ensures all our commands will work with the correct files:

cd ~/project

Before extracting files, we need a place to store them. The mkdir -p command creates a directory called "objects" where Tshark will save the extracted files. The -p flag means it won't show an error if the directory already exists:

mkdir -p objects

Now we'll use Tshark's powerful --export-objects feature. This command scans through the packet capture, identifies HTTP file transfers, and reconstructs the original files. The syntax has two parts after --export-objects: "http" specifies the protocol, and "./objects" is our output directory:

tshark -r http.pcap --export-objects http,./objects

Here's what happens when you run this command:

Tshark reads the http.pcap file (-r flag)
It analyzes HTTP traffic and identifies file transfers
Each found file is reconstructed and saved in the ./objects directory

After running the command, Tshark will display each file it extracts. For example, you might see output like this showing the successful extraction of files:

Exporting HTTP object 1: image1.jpg
Exporting HTTP object 2: document.pdf

These files are now available in your objects directory for further examination. This technique is particularly useful when analyzing web traffic or investigating file downloads during network troubleshooting.

List Files in ./objects

In this step, we'll examine the HTTP objects that were extracted from the packet capture in the previous step. These objects represent files transferred over HTTP, such as images, documents, or scripts. By listing the contents of the ./objects directory, we can verify what files were successfully exported and prepare for further analysis.

First, let's navigate to the project directory where our extracted files are stored. This ensures we're working in the right location:

cd ~/project

To view all extracted files with detailed information, we'll use the ls command with two helpful options:

ls -lh ./objects

Here's what each part does:

-l shows the long format listing with permissions, sizes, and timestamps
-h displays file sizes in human-readable format (KB, MB instead of bytes)

You should see output similar to this, showing the actual files extracted from the HTTP traffic:

total 24K
-rw-r--r-- 1 labex labex 5.2K Jan 1 10:00 image1.jpg
-rw-r--r-- 1 labex labex 12K Jan 1 10:00 document.pdf
-rw-r--r-- 1 labex labex 1.5K Jan 1 10:00 script.js

If you just need to know how many files were extracted (without seeing their details), this command counts them:

ls ./objects | wc -l

The wc -l part counts the number of lines in the output, which corresponds to the number of files. For our example, it would show:

Filter Specific Request with -Y "http.request.uri"

In this step, we'll explore how to filter specific HTTP requests from a packet capture file using Wireshark's command-line tool, tshark. The -Y option lets us apply powerful display filters to focus only on the network traffic we're interested in analyzing.

Before we begin, let's make sure we're in the right working directory where our packet capture file is stored:

cd ~/project

The basic command structure uses tshark -r to read a packet capture file, followed by -Y with our filter expression. When working with HTTP traffic, we can filter specifically for HTTP request packets by examining their URI (Uniform Resource Identifier) paths:

tshark -r http.pcap -Y "http.request.uri"

This command will process the http.pcap file and display only the HTTP request packets that match our filter. For each matching packet, you'll see important information including:

The packet number (showing its position in the capture)
Timestamp of when the packet was captured
Source and destination IP addresses
The complete HTTP request URI path

Here's what typical output might look like:

10 1.234567 192.168.1.100 → 203.0.113.5 HTTP GET /images/logo.png HTTP/1.1
15 2.345678 192.168.1.100 → 203.0.113.5 HTTP GET /api/data.json HTTP/1.1

We can make our filter more specific by looking for particular file types or paths. For example, to find only requests for PNG image files, we can modify our filter to check for ".png" in the URI:

tshark -r http.pcap -Y 'http.request.uri contains ".png"'

This technique is particularly useful when analyzing web traffic to identify specific resources being requested, or when troubleshooting particular types of web requests. The display filter syntax gives us precise control over what packets we see in our analysis.

Summary

In this lab, you have learned to analyze HTTP traffic and extract transferred objects using Wireshark's command-line tool tshark. By working with the http.pcap file, you practiced viewing packet details with the -r flag and exporting HTTP objects like images and documents to a designated directory using --export-objects.

You also explored filtering specific HTTP requests with the -Y flag to isolate traffic based on URIs. These techniques provide essential skills for efficient network analysis and targeted file extraction through tshark's command-line interface.