This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use tshark to search http gzip encoded

0

So...topic says it. I'm attempting to do something like ngrep (which for some reason isn't working on my pcaps). I'm trying to search for an item in a gzip encoded pcap, but I'm having a rough go of it. Here's what I've tried:

tshark -o http.decompress_body:TRUE -r _test.pcap -R 'data-text-lines contains Commentary'

But it's not seeming to fly. Any hints on how to look into an http body that's gzip'ed with tshark? I know I can do this with wireshark, but I'd like to do it with tshark on a remote machine. Thank you.

asked 14 Aug '12, 10:22

DigiAngel's gravatar image

DigiAngel
1334
accept rate: 0%

One Answer:

1

Seems to work fine with me:

$ tshark -o http.decompress_body:FALSE -nlr http-compression-ipv6.pcap -R 'data-text-lines contains "apply"'
$ tshark -o http.decompress_body:TRUE -nlr http-compression-ipv6.pcap -R 'data-text-lines contains "apply"'
 90   6.221425 2a00:1450:4007:802::101f -> 2001:980:5354:3:fa1e:dfff:fed8:8748 HTTP 721 HTTP/1.1 200 OK  (text/html)
$

Do you have the following settings:

  • IP checksum checking disabled
  • TCP checksum checking disabled
  • Full packets, so captures with no snaplength
  • TCP reassembly enabled
  • HTTP reassembly enabled

answered 14 Aug '12, 10:39

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 14 Aug '12, 10:40

Yea that TOTALLY works...I think I needed to define my data-text-lines in single quotes..just what the doctor ordered...thank you.

(14 Aug '12, 12:15) DigiAngel

Also please note that "contains" is case sensitive in the current version of Wireshark. It might not be in the future (as discussed at Sharkfest'12).

(15 Aug '12, 00:43) SYN-bit ♦♦