Anyone who’s looked at packets knows about Wireshark. There seems to be considerably less known about Wireshark’s scripting interface though.
While reviewing a very old packet capture I noticed that the host names as resolved by wireshark weren’t consistent with what I knew of the data. Well what can you do? DNS names and IP addresses are in a constant state of flux. It hit me then that the packet capture itself had all the data I needed to create a hosts file for wireshark. It was just a matter of extracting the data from the http requests or the DNS requests/responses into hosts file format and putting a hosts file in the Wireshark directory.
Every http request contains a host header. The purpose of the header is to allow web servers with a single IP address to host websites for more than one domain. The webserver uses the host header to multiplex multiple virtual directories/websites onto a single IP address.
To run the script make sure that you edit the init.lua file in the wireshark directory and comment out the line beginning with disable_lua. The usage is shown below in the script and because we are using tshark we can just redirect the output directly to a hosts file.
Listing 1 – gethttphosts.lua
-- Lua script to extract http host headers to create a hosts -- file for wireshark name resolution. -- command line: -- Tshark –r websurf.pcap –q –X lua_script:gethttphosts.lua Do -- Create the field extractors hostname = Field.new("http.host") ip_dst = Field.new("ip.dst") local function init_listener() -- Create a listener that filters for http requests local tap = Listener.new("frame", "tcp && http.request") function tap.reset() end function tap.packet(pinfo,tvb,ip) -- Format the data and output it local strTemp = tostring(ip_dst()) .. " " .. tostring(hostname()) .. "\n"; io.write(strTemp); end function tap.draw() end end init_listener() end