使用tshark解析
安装tshark
apt install tshark
# 测试
tshark -r gitlab.pcap -T fields -Y http -e tcp.stream -e http.request.method -e http.request.uri -e http.request.version -e http.request.line -e http.response.version -e http.response.code -e http.response.phrase -e http.response.line -e http.file_data
工具
简易脚本pcap2http.sh
需要安装apt install xmlstarlet gawk
#!/bin/bash
FIELDS=(
tcp.stream
http.request.method http.request.uri http.request.version
http.request.line
http.response.version http.response.code http.response.phrase
http.response.line
http.file_data
)
tshark -r $1 -T fields -Y http ${FIELDS[@]/#/-e$IFS} |
awk -v FS=$'\t' '
{
output = $1 ".http";
n = $2 ? 2 : 6
if (OUTPUTS[output]) printf("") >> output;
else {printf("") > output; OUTPUTS[output] = 1; }
printf("%s %s %s\n", $n, $(n+1), $(n+2)) >> output;
printf("%s\n", gensub("(\\\\r\\\\n,?)+", "\n", "g", $(n+3))) >> output;
if (substr($10,1,1) == "<") {
fflush(output);
close(output);
xmlstarlet = "xmlstarlet fo - >> "output;
printf("%s\n", gensub("\\\\n", "\n", "g", $10)) | xmlstarlet;
close(xmlstarlet);
printf("") >> output;
}
else
printf("%s\n", $10) >> output;
printf("\n--\n\n") >> output;
close(output);
}
'
使用方法
./pcap2http.sh xxx.pcap