How to decompress http contents with tshark

Question

I have pcap files with http contents compressed by gzip, and want to export each stream to a text file. I know wireshark can export the uncompressed contents by GUI, but exporting each file manually is time wasting. I want to do this by tshark automatically.

I tried followings:

for stream in `tshark -r input.pcap -T fields -e tcp.stream -2 -R http | sort -n | uniq`
do
  tshark -q -r input.pcap -o http.decompress_body:TRUE -z follow,tcp,ascii,$stream > $stream.txt
done

However, "-o http.decompress_body:TRUE" does not seem to work correctly.

Any ideas?

Accepted Answer

However, "-o http.decompress_body:TRUE" does not seem to work correctly.

the option does work, but the 'Follow TCP stream' function does not decompress the HTTP response, neither in Wireshark (GUI) nor in tshark (CLI), as that's not implemented yet. The 'Follow TCP stream' function just shows the contents of the TCP payload as it is transmitted over the wire.

There is an enhancement request:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3528

However, a patch that implemented the feature has never been accepted due to some problems.

So, if you need to extract the HTTP payload, including uncompressed HTTP responses, your options are:

implement the feature yourself and submit the code
wait until the feature gets implemented by somebody
pay somebody to implement it for you
use a different tool, like one of those mentioned in the following questions/answers.

http://ask.wireshark.org/questions/10023/command-line-option-for-follow-tcp-stream
http://ask.wireshark.org/questions/23706/capturing-url-from-tcp-packets
http://ask.wireshark.org/questions/31557/how-to-extract-email-files
http://ask.wireshark.org/questions/26959/if-tshark-can-support-export-objects-like-wireshark-for-gui

Regards
Kurt