Re: filter for ONLY initial get request

[Jeffs <jeffs () speakeasy net>]

On 8/9/2010 10:47 PM, Jeffs wrote:
> On 8/9/2010 11:25 AM, Sake Blok wrote:
>    
> > Have a look at the presentation I gave at Sharkfest'10, it shows you how you can accomplish something quite similar 
> > with Tshark and some (minor) scripting. You should be able to change the commands to your needs.
> >
> > http://www.cacetech.com/sharkfest.10/A-6_Blok%20HANDS-ON%20LAB%20-%20Using%20Wireshark%20Command%20Line%20Tools%20and%20Scripting.zip
> >
> >      
>
> Question: in the wonderful example in that paper for finding the top 10
> requested URLs, with this formula:
>
> tshark -r example.cap -R http.request -T fields -e http.host -e
> http.request.uri | sed -e 's/?.*$//' | sed -e
> 's#^\(.*\)\t\(.*\)$#http://\1\2#' | sort | uniq -c | sort -rn | head
>
>
> Where does one set the top "10"?  How would I change that to, say, top
> "20" or whatever?  Or does uniq -c always just produce the top 10?
>
> Thank you.
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list<wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>               mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
>    
I can now answer my own question:

tshark -r example.cap -R http.request -T fields -e http.host -e 
http.request.uri | sed -e 's/?.*$//' | sed -e 
's#^\(.*\)\t\(.*\)$#http://\1\2#&apos; | sort | uniq -c | sort -rn | head -n 30

the -n 30 represents how many lines to print out.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe