Command dissect
The dissect command (alias: dis) allows you to read a fluxzy archive file or a fluxzy dump directory and extract a specific part of it.
Options
Description:
Read content of a previously captured file or directory.
Usage:
fluxzy dissect <input-file-or-directory> [command] [options]
Arguments:
<input-file-or-directory> A fluxzy file or directory to dissect
Options:
-i, --id <id> Exchange ids, comma separated exchange list
-f, --format <format> Specify how to format each matching exchanges to the outputted
result. The default value is "{id} - {url} - {status}"
-o, --output-file <output-file> Output the formatted result to a file instead of stdout
-u, --unique Result must be unique or exit error [default: False]
-?, -h, --help Show help and usage information
Commands:
pcap <input-file-or-directory> Export pcapng files from an archive or dump directory.
List exchanges
Running the command without the filter id option (-i) will list all exchanges of the fluxzy archive or dump directory with the default formatting ({id} - {url} - {status}).
fluxzy dissect /path/to/archive.fxzy
Or with a dump directory:
fluxzy dissect /path/to/dump-folder
Filtering exchanges
You can use the -i option to filter exchanges by id. If you wish to select multiple exchange ids, you can separate the values with a comma (,).
fluxzy dissect /path/to/archive.fxzy -i "1,2,3"
Formatting output
By default, fluxzy will output the matching exchanges with the default format {id} - {url} - {status}. If you want to display a specific part of the exchange, you can change this default format with the -f option.
For example, the following formatting will output the remote host instead of the url.
fluxzy dissect /path/to/archive.fxzy -i "1,2,3" -f "{id} - {host}"
The possible values of the format are:
| Value | Description |
|---|---|
| url | The url of the request |
| method | The method of the request |
| status | The status of the response |
| content-type | The content type of the response |
| authority | The authority of the request |
| path | The path of the request |
| host | The host of the request |
| id | The id of the exchange |
| http-version | The http version of the exchange |
| scheme | The scheme of the request |
| request-body-length | The length of the request body |
| response-body-length | The length of the response body |
| response-body | The response body, any transport transformation (gzip, chunk,...) are removed |
| request-body | The request body, any transport transformation (gzip, chunk,...) are removed |
| pcap | The pcap of the connection used by the exchange |
| pcap-raw | The pcap raw of the connection used by the exchange (encrypted) |
Filtering on specific fields
To filter on a specific field, you can use the format option (-f) referencing the specific field and use a shell search command (grep, egrep or find for windows) to find the desired entry.
Here a sample to search for all exchanges with a status code 200.
fluxzy dissect /path/to/archive.fxzy -f "{id} - {status}" | grep "200"
Exporting binary data
You can export binary data of an exchange with the dissect command. Binary data can be: request body, response body, pcap and pcap raw. For this you can use the format option with only the field you want to export.
fluxzy dissect /path/to/archive.fxzy -i "1" -f "{response-body}" -o /path/to/output -u
If you don't want the result on standard output, you can use the -o option to specify the output file as in the example above.
Additionally you can use the -u option to abort the command if multiple outputs are found for the specified exchange.
Exporting PCAP files
The pcap subcommand allows you to export pcapng files from an archive or dump directory.
fluxzy dissect /path/to/archive.fxzy pcap -o /path/to/output.pcapng
PCAP export requires that the capture was performed with the --include-dump (-c) option enabled during the start command.