This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to decompress http contents with tshark

0

I have pcap files with http contents compressed by gzip, and want to export each stream to a text file. I know wireshark can export the uncompressed contents by GUI, but exporting each file manually is time wasting. I want to do this by tshark automatically.

I tried followings:

for stream in `tshark -r input.pcap -T fields -e tcp.stream -2 -R http | sort -n | uniq`
do
  tshark -q -r input.pcap -o http.decompress_body:TRUE -z follow,tcp,ascii,$stream > $stream.txt
done

However, "-o http.decompress_body:TRUE" does not seem to work correctly.

Any ideas?

asked 03 May '14, 22:07

hseisyu's gravatar image

hseisyu
16115
accept rate: 0%

edited 03 May '14, 23:25


One Answer:

1

However, "-o http.decompress_body:TRUE" does not seem to work correctly.

the option does work, but the 'Follow TCP stream' function does not decompress the HTTP response, neither in Wireshark (GUI) nor in tshark (CLI), as that's not implemented yet. The 'Follow TCP stream' function just shows the contents of the TCP payload as it is transmitted over the wire.

There is an enhancement request:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3528

However, a patch that implemented the feature has never been accepted due to some problems.

So, if you need to extract the HTTP payload, including uncompressed HTTP responses, your options are:

  • implement the feature yourself and submit the code
  • wait until the feature gets implemented by somebody
  • pay somebody to implement it for you
  • use a different tool, like one of those mentioned in the following questions/answers.

http://ask.wireshark.org/questions/10023/command-line-option-for-follow-tcp-stream
http://ask.wireshark.org/questions/23706/capturing-url-from-tcp-packets
http://ask.wireshark.org/questions/31557/how-to-extract-email-files
http://ask.wireshark.org/questions/26959/if-tshark-can-support-export-objects-like-wireshark-for-gui

Regards
Kurt

answered 04 May '14, 08:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%