Wireshark Scripting – Extracting HTTP Host Headers

Anyone who’s looked at packets knows about Wireshark. There seems to be considerably less known about Wireshark’s scripting interface though.

While reviewing a very old packet capture I noticed that the host names as resolved by wireshark weren’t consistent with what I knew of the data. Well what can you do? DNS names and IP addresses are in a constant state of flux. It hit me then that the packet capture itself had all the data I needed to create a hosts file for wireshark. It was just a matter of extracting the data from the http requests or the DNS requests/responses into hosts file format and putting a hosts file in the Wireshark directory.

Every http request contains a host header.  The purpose of the header is to allow web servers with a single IP address to host websites for more than one domain.  The webserver uses the host header to multiplex multiple virtual directories/websites onto a single IP address.

Host Header in an HTTP request

To run the script make sure that you edit the init.lua file in the wireshark directory and comment out the line beginning with disable_lua. The usage is shown below in the script and because we are using tshark we can just redirect the output directly to a hosts file.

Listing 1 – gethttphosts.lua

-- Lua script to extract http host headers to create a hosts
-- file for wireshark name resolution.
-- command line:
--	Tshark –r websurf.pcap –q –X lua_script:gethttphosts.lua

Do
-- Create the field extractors
hostname = Field.new("http.host")
ip_dst = Field.new("ip.dst")

	local function init_listener()
-- Create a listener that filters for http requests
	  local tap = Listener.new("frame", "tcp && http.request")
	  function tap.reset()
	  end

	  function tap.packet(pinfo,tvb,ip)
-- Format the data and output it
		local strTemp = tostring(ip_dst()) .. " " ..
                                  tostring(hostname()) .. "\n";
		io.write(strTemp);
	  end
	  function tap.draw()
	  end
	end
	init_listener()
end