Anyone who’s looked at packets knows about Wireshark. There seems to be considerably less known about Wireshark’s scripting interface though.
While reviewing a very old packet capture I noticed that the host names as resolved by wireshark weren’t consistent with what I knew of the data. Well what can you do? DNS names and IP addresses are in a constant state of flux. It hit me then that the packet capture itself had all the data I needed to create a hosts file for wireshark. It was just a matter of extracting the data from the http requests or the DNS requests/responses into hosts file format and putting a hosts file in the Wireshark directory.
Every http request contains a host header. The purpose of the header is to allow web servers with a single IP address to host websites for more than one domain. The webserver uses the host header to multiplex multiple virtual directories/websites onto a single IP address.
To run the script make sure that you edit the init.lua file in the wireshark directory and comment out the line beginning with disable_lua. The usage is shown below in the script and because we are using tshark we can just redirect the output directly to a hosts file.
Listing 1 – gethttphosts.lua
-- Lua script to extract http host headers to create a hosts
-- file for wireshark name resolution.
-- command line:
-- Tshark –r websurf.pcap –q –X lua_script:gethttphosts.lua
Do
-- Create the field extractors
hostname = Field.new("http.host")
ip_dst = Field.new("ip.dst")
local function init_listener()
-- Create a listener that filters for http requests
local tap = Listener.new("frame", "tcp && http.request")
function tap.reset()
end
function tap.packet(pinfo,tvb,ip)
-- Format the data and output it
local strTemp = tostring(ip_dst()) .. " " ..
tostring(hostname()) .. "\n";
io.write(strTemp);
end
function tap.draw()
end
end
init_listener()
end