This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can tshark display textual HTTP content during capture?

1

Hi SYN-bit I posted this question on ask.wireshark.org: http://ask.wireshark.org/questions/17961/display-http-content-as-text-using-tshark Jasper suggested I ask you whether you can help here. The question basically is, is it possible to get tshark to emit the content of a (textual) HTTP conversation live, that is not on a set of packets that have already been captured? Thanks! David

asked 27 Jan '13, 11:19

David%20Sackstein's gravatar image

David Sackstein
31448
accept rate: 0%


2 Answers:

0

Nope, I don't think that's (easily) possible. But I'm sure there are other specific http tools that will spit out the http objects for you while receiving them.

answered 29 Jan '13, 04:36

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

1

Hi SYN-bit,

I was able to get what I needed in the end, so I will share my findings:

This is the command line I am using:

tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.duplicate_ack" -T fields -e ip.host -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e data -e text -E separator=;2>&0

-e data gets me the POST parameters and -e text gets me the content of the response.

answered 04 Mar '13, 11:31

David%20Sackstein's gravatar image

David Sackstein
31448
accept rate: 0%