Extracting host names

Since we are dealing with mostly http traffic we may be interested in the sites that have been visited, to obtain this information we can use the http.host field and then a bit of sorting and this will show us the top 10 sites.

tshark -T fields -e http.host -r tor.pcap > dns.txt
cat dns.txt | sort | uniq -c | sort -nr | head


User agents

tshark -R 'http contains "User-Agent:"' -T fields -e http.user_agent -r tor2b.pcap | sort | uniq -c | sort -nr | less

-R allows us to define display filters, in the same way we would in wireshark, you can find a list of useful display filters here.

Email address

Another interesting bit of data are email addresses, which we can extract by using a regexp on the raw data.

tshark -r tor.pcap -R "data-text-lines" -T fields -e text > alldata.txt

grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b' alldata.txt | sort | uniq

Here are a few extra examples if you want to learn more and don’t forget to take a look at the official documentation.