This is our old Q&A Site. Please post any new questions and answers at

Basically I want to capture the message body of each POST request. This command is as far as I've gotten to it:

tshark -Y "http.request.method == POST" -T fields -e text

the "-e text" part because it's not documented anywhere here:

so why does it even work? Anyways, this is the output I get:

Source GeoIP: Unknown,Destination GeoIP: Unknown,No-Operation (NOP),No-Operation (NOP),Timestamps: TSval 91019450, TSecr 2163426594,[truncated] POST,\r\n,HTTP request 1/1 Source GeoIP: Unknown,Destination GeoIP: Unknown,POST  HTTP/1.1\r\n,Client-IP:\r\n,HTTP-X-REAL-IP:\r\n,X-Real-IP:\r\n,Proxy-Connection: Keep-Alive\r\n,\r\n,HTTP request 1/1,**[email protected]&password=05061145&remember=true&act=ajaxLogin2Json** Source GeoIP: Unknown,Destination GeoIP: Unknown,No-Operation (NOP),No-Operation (NOP),Timestamps: TSval 833911496, TSecr 2163426904,POST HTTP/1.\r\n,\r\n,HTTP request 1/1,**evpldjmr**

in bold ** are the parts that I want, without any truncation. Parsing that output through some other program is out of the question because it's

impossible to know where to split and where to look for the parts that I want. So how would I do this? Is there another undocumented field that

output exactly what I want?

asked 25 Jul '15, 09:43

im_a_lawyer's gravatar image

accept rate: 0%

edited 25 Jul '15, 09:47

From an academic point of view I think you mean something like:

tshark -Y "http.request.method==GET" -Tfields -e http.request.full_uri

PLEASE think though, it is pretty much guaranteed to be illegal to obtain this if this is not already your information! Your Nick does not help me in this thought.

Whichever field you are interested in (you can look that up in Wireshark in required) should be substituted after -e

permanent link

answered 25 Jul '15, 11:20

DarrenWright's gravatar image

accept rate: 26%

That only gives me the URL for each POST request. I want the actual POST data that goes with it: field=value&field2=value2...

Which field would give me just that? This is completely legal because this is all happening under our own organization and our own people.

(25 Jul '15, 11:40) im_a_lawyer

tshark -Y "http.request.method==POST" -Tfields -e

(25 Jul '15, 12:02) DarrenWright

Why GET? Also No, that didn't work. I just get blank lines:

(25 Jul '15, 12:06) im_a_lawyer

yeah, sorry ^^ POST should be there copy paste is bad.. I am having trouble finding a site I can POST to that isn't https.. You have blank lines with GET because there is not

strange, when I do this (with POST) it delivers me the information. It is HEX, but you can convert that easily enough

(25 Jul '15, 12:14) DarrenWright

Then what does the "text" field do? Why isn't that documented? It appears to work somewhat, but if I do:

"http.request.method == POST &&", then not every POST request with data gets captured. Some go missing. What am I doing wrong? Is everyone 100% positive that is what I should be using?

(25 Jul '15, 13:31) im_a_lawyer

I'm not even 10% positive that is what you should be using..

You are referencing a wireshark page whilst asking a tshark question, a small but important difference.

scroll down to -e and -T for explanations of the fields. You may also want to look the at -E parameter.

-Y "http.request.method == POST" is fine for filter, you don't need to && anything to it. As for in my attempts, all the login info was contained there, mileage may vary. The easiest way is to open / start a capture in Wireshark, look at the field containing the Information you are interested in and use this as a -e PARAMETER next time.

(26 Jul '15, 10:22) DarrenWright

That field always has a different name. If I'm submitting a regular form, then that whole field is named: HTML Form URL Encoded: application/x-www-form-urlencoded If it's a multipart form then it is named: "MIME Multipart Media Encapsulation, Type: multipart/form-data

If raw data is sent then somehow it is still called multipart/form-data...

basically, does not capture all POST requests, but since I'm probably only interested in form-data, then I'll just settle for:

-e urlencoded-form.key -e urlencoded-form.value

I'll accept your answer anyways

(26 Jul '15, 12:12) im_a_lawyer
showing 5 of 7 show 2 more comments

This got much easier with Wireshark 2.x or so. At least the following works for me with Wireshark 2.2.5 from Debian 9 but not with Wireshark 1.8.x from RHEL 6:

tshark -Y http.request.method==POST -Tfields -e http.file_data

I though would still be interested in a nice solution for Wireshark 1.8. Neither

tshark -Y http.request.method==POST -Tfields -e


tshark -Y http.request.method==POST -Tfields -e text

are really useful without further manual decoding.

permanent link

answered 29 Mar '17, 06:01

XTaran's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 25 Jul '15, 09:43

question was seen: 24,000 times

last updated: 29 Mar '17, 06:01

p​o​w​e​r​e​d by O​S​Q​A