The Moose and Squirrel Files

October 1, 2008

Wireshark Scripting – Extracting HTTP Host Headers

Filed under: Network — Tags: , , — networknerd @ 11:00 pm

Anyone who’s looked at packets knows about Wireshark. There seems to be considerably less known about Wireshark’s scripting interface though.

While reviewing a very old packet capture I noticed that the host names as resolved by wireshark weren’t consistent with what I knew of the data. Well what can you do? DNS names and IP addresses are in a constant state of flux. It hit me then that the packet capture itself had all the data I needed to create a hosts file for wireshark. It was just a matter of extracting the data from the http requests or the DNS requests/responses into hosts file format and putting a hosts file in the Wireshark directory.

Every http request contains a host header.  The purpose of the header is to allow web servers with a single IP address to host websites for more than one domain.  The webserver uses the host header to multiplex multiple virtual directories/websites onto a single IP address.

Host Header in an HTTP request

Host Header in an HTTP request

To run the script make sure that you edit the init.lua file in the wireshark directory and comment out the line beginning with disable_lua. The usage is shown below in the script and because we are using tshark we can just redirect the output directly to a hosts file.

Listing 1 – gethttphosts.lua

-- Lua script to extract http host headers to create a hosts
-- file for wireshark name resolution.
-- command line:
--	Tshark –r websurf.pcap –q –X lua_script:gethttphosts.lua

-- Create the field extractors
hostname ="")
ip_dst ="ip.dst")

	local function init_listener()
-- Create a listener that filters for http requests
	  local tap ="frame", "tcp && http.request")
	  function tap.reset()

	  function tap.packet(pinfo,tvb,ip)
-- Format the data and output it
		local strTemp = tostring(ip_dst()) .. " " ..
                                  tostring(hostname()) .. "\n";
	  function tap.draw()


  1. cool!!! – thanks a lot for this post!!!

    Comment by alex693 — July 1, 2009 @ 4:00 am

  2. Thanks for the post. Do you have any more explanation about how works? The Lua/Wireshark docs aren’t very helpful. And what does hostname() do? Is that some kind of function/method call?


    Comment by Victor — October 21, 2011 @ 12:47 pm

    • Hello Victor, glad you found the post useful. Hostname is a field extractor that is created at the beginning of the script. To access the dissected packet from within Lua you need to create the field extractors. I don’t really have any other information on I could only speculate that it is the method used to bind a Lua variable/function name to one of the fields dissected by wireshark.

      Comment by networknerd — October 21, 2011 @ 2:05 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: