Hi, I am using tshark to monitor http traffic on a server. I would like to display some of the IP fields, some of the HTTP headers and the HTTP content if it is textual. Is there a way to do this with tshark? Thanks David asked 26 Jan '13, 04:25 David Sackstein |
One Answer:
You could do something like this:
The "-R" parameter filters on tcp port 80 to skip all packets that are not on that port - if your HTTP traffic is using another port you could change that, or maybe -R "http" would work just as well in most cases. The "-e" parameters are used to tell tshark what fields you want to see, so you can add all the fields you need (I just added a few as examples) answered 26 Jan '13, 07:30 Jasper ♦♦ edited 26 Jan '13, 07:30 showing 5 of 8 show 3 more comments |
Hi Jasper Thanks for the quick response. This option does not allow me to see he http content, though. How can I do that? Thanks David
You could try "data-text-lines", but I'm not sure if it will show all content. It should show all HTTP content that Wireshark can determine as such I guess.
Hi Jasper, Unfortunately this doesnt work. I get lots of empty lines and from time to time this: Line-based text data: text/html But I dont get any text from the content of the http responses. It seems strange that Wireshark is able to display an entire HTTP conversation using the "decode as" option, but tshark doesnt have it. Dumping the packets themselves (using -x or -w) is not good enough because it doesnt handle reassembly. What do you think? David
Maybe it has to do with the http data being gzipped. I'm not sure if tshark can display the uncompressed content. If you're interested in seeing the content like in "Follow TCP Steam" in Wireshark, maybe SYN-bits answer in this question can help: http://ask.wireshark.org/questions/17903/how-do-i-view-all-streams-in-follow-tcp-streams
Hi Jasper, The http data I am working with is not gzipped. I read SYN-bits answer in the link you mentioned. It allows you to decode HTTP content from a previously captured file. But I need to decode this information in a live capture. I think Wireshark also cant do this, because the "follow TCP stream" and "decode as" options are indeed on packets that have already been captured. From what I read, tcpflow can do what I need - but tcpflow doesnt support IP fragmentation. So, do you think I need to write my own HTTP/TCP/IP sniffer for this? David
The real time part is a problem, I can see that. Before starting the long and hard work of writing your own sniffer you should wait a little more to see if any tshark expert has another idea. Tshark scripting isn't exactly my specialty, but maybe @Landi, @SYN-Bit or @Kurt can help - they are the command line pro's :-)
Hi Jasper,
Thanks for your help on this. In the end this is what I used:
This is the command line I am using:
tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.duplicate_ack" -T fields -e ip.host -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e data -e text -E separator=;2>&0
-e data gets me the POST parameters and -e text gets me the content of the response.
David
Wow, that is quite some parameter zoo you've got... congratulations, and thanks for the feedback!