Anyone who’s looked at packets knows about Wireshark. There seems to be considerably less known about Wireshark’s scripting interface though.
While reviewing a very old packet capture I noticed that the host names as resolved by wireshark weren’t consistent with what I knew of the data. Well what can you do? DNS names and IP addresses are in a constant state of flux. It hit me then that the packet capture itself had all the data I needed to create a hosts file for wireshark. It was just a matter of extracting the data from the http requests or the DNS requests/responses into hosts file format and putting a hosts file in the Wireshark directory.
Every http request contains a host header. The purpose of the header is to allow web servers with a single IP address to host websites for more than one domain. The webserver uses the host header to multiplex multiple virtual directories/websites onto a single IP address.
Host Header in an HTTP request
To run the script make sure that you edit the init.lua file in the wireshark directory and comment out the line beginning with disable_lua. The usage is shown below in the script and because we are using tshark we can just redirect the output directly to a hosts file.
Listing 1 – gethttphosts.lua
-- Lua script to extract http host headers to create a hosts
-- file for wireshark name resolution.
-- command line:
-- Tshark –r websurf.pcap –q –X lua_script:gethttphosts.lua
Do
-- Create the field extractors
hostname = Field.new("http.host")
ip_dst = Field.new("ip.dst")
local function init_listener()
-- Create a listener that filters for http requests
local tap = Listener.new("frame", "tcp && http.request")
function tap.reset()
end
function tap.packet(pinfo,tvb,ip)
-- Format the data and output it
local strTemp = tostring(ip_dst()) .. " " ..
tostring(hostname()) .. "\n";
io.write(strTemp);
end
function tap.draw()
end
end
init_listener()
end
