Generate report by http hosts in tcpdump / wireshark capture

Assume that you have captured some network traffic and want to generate a report to see how many requests comes for specific http hostname.

It is possible to filter by or http.request.method in wireshark but it does not have this type of reporting functionality.

You can generate a report with the help of less known but important tshark utility and standard tools on console:

tshark -r capture.pcap -Y "http.request.method==GET" -T fields -e ""

After that you can send this output to sort | uniq -c | sort -n pipe to sort by the number of requests each received.

This is just a basic example of tshark’s capabilities, you can use lots of filters to create advanced reports.