This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I am using tshark to monitor http traffic on a server. I would like to display some of the IP fields, some of the HTTP headers and the HTTP content if it is textual. Is there a way to do this with tshark? Thanks David

asked 26 Jan '13, 04:25

David%20Sackstein's gravatar image

David Sackstein
31448
accept rate: 0%


You could do something like this:

tshark -r trace.pcapng  -R "tcp.port==80" -Tfields -e ip.src -e ip.dst -e http.response.code

The "-R" parameter filters on tcp port 80 to skip all packets that are not on that port - if your HTTP traffic is using another port you could change that, or maybe -R "http" would work just as well in most cases. The "-e" parameters are used to tell tshark what fields you want to see, so you can add all the fields you need (I just added a few as examples)

permanent link

answered 26 Jan '13, 07:30

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 26 Jan '13, 07:30

Hi Jasper Thanks for the quick response. This option does not allow me to see he http content, though. How can I do that? Thanks David

(26 Jan '13, 08:00) David Sackstein

You could try "data-text-lines", but I'm not sure if it will show all content. It should show all HTTP content that Wireshark can determine as such I guess.

(26 Jan '13, 08:45) Jasper ♦♦

Hi Jasper, Unfortunately this doesnt work. I get lots of empty lines and from time to time this: Line-based text data: text/html But I dont get any text from the content of the http responses. It seems strange that Wireshark is able to display an entire HTTP conversation using the "decode as" option, but tshark doesnt have it. Dumping the packets themselves (using -x or -w) is not good enough because it doesnt handle reassembly. What do you think? David

(26 Jan '13, 10:21) David Sackstein

Maybe it has to do with the http data being gzipped. I'm not sure if tshark can display the uncompressed content. If you're interested in seeing the content like in "Follow TCP Steam" in Wireshark, maybe SYN-bits answer in this question can help: http://ask.wireshark.org/questions/17903/how-do-i-view-all-streams-in-follow-tcp-streams

(26 Jan '13, 11:42) Jasper ♦♦

Hi Jasper, The http data I am working with is not gzipped. I read SYN-bits answer in the link you mentioned. It allows you to decode HTTP content from a previously captured file. But I need to decode this information in a live capture. I think Wireshark also cant do this, because the "follow TCP stream" and "decode as" options are indeed on packets that have already been captured. From what I read, tcpflow can do what I need - but tcpflow doesnt support IP fragmentation. So, do you think I need to write my own HTTP/TCP/IP sniffer for this? David

(26 Jan '13, 14:07) David Sackstein

The real time part is a problem, I can see that. Before starting the long and hard work of writing your own sniffer you should wait a little more to see if any tshark expert has another idea. Tshark scripting isn't exactly my specialty, but maybe @Landi, @SYN-Bit or @Kurt can help - they are the command line pro's :-)

(26 Jan '13, 18:01) Jasper ♦♦

Hi Jasper,

Thanks for your help on this. In the end this is what I used:

This is the command line I am using:

tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.duplicate_ack" -T fields -e ip.host -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e data -e text -E separator=;2>&0

-e data gets me the POST parameters and -e text gets me the content of the response.

David

(04 Mar '13, 13:01) David Sackstein

Wow, that is quite some parameter zoo you've got... congratulations, and thanks for the feedback!

(05 Mar '13, 12:34) Jasper ♦♦
showing 5 of 8 show 3 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×293

question asked: 26 Jan '13, 04:25

question was seen: 11,590 times

last updated: 05 Mar '13, 12:34

p​o​w​e​r​e​d by O​S​Q​A