Hi SYN-bit I posted this question on ask.wireshark.org: http://ask.wireshark.org/questions/17961/display-http-content-as-text-using-tshark Jasper suggested I ask you whether you can help here. The question basically is, is it possible to get tshark to emit the content of a (textual) HTTP conversation live, that is not on a set of packets that have already been captured? Thanks! David
asked 27 Jan '13, 11:19
Nope, I don't think that's (easily) possible. But I'm sure there are other specific http tools that will spit out the http objects for you while receiving them.
answered 29 Jan '13, 04:36
I was able to get what I needed in the end, so I will share my findings:
This is the command line I am using:
tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.duplicate_ack" -T fields -e ip.host -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e data -e text -E separator=;2>&0
-e data gets me the POST parameters and -e text gets me the content of the response.
answered 04 Mar '13, 11:31