How to get untruncated text from tshark with chunked, compressed http traffic

Question

I have some http traffic which happens to be served compressed, chunked and encrypted. I have the client master-secrete and CLIENT_RANDOM, so I am using that to decrypt the traffic.

I'm using a bleeding edge build (win32-2.1.0-132-g3ef2fd6) as it seems to supports combined dechunking, decompression and decryption well. Everything works in the wireshark GUI, but it would be convenient to be able to export the plain text of the HTTP request and response using tshark. I can get the full ASCII text in the GUI by going:

Uncompressed Entity Body -> Line-based text data -> right click -> Copy -> ...As printable text

However, with tshark, I can only get the first few bytes of that text by using:

tshark.exe -Y "http" -o ssl.keylog_file:"{key_file}" -r "{input_file}" -T fields -e text

Which returns something like:

Source GeoIP: Unknown,Destination GeoIP: Unknown,GET / HTTP/1.1\r\n,\r\n
Source GeoIP: Unknown,Destination GeoIP: Unknown,HTTP/1.1 200 OK\r\n,\r\n,HTTP chunked response,Data
 chunk (7516 octets),Data chunk (8192 octets),Data chunk (4307 octets),End of chunked encoding,\r\n,
Content-encoded entity body (gzip): 20015 bytes -> 107148 bytes, [truncated] The first few bytes of the http
response. If I keep going on and on and on and on and on and on and on and on and on and on and on

Is there a way to get the non-truncated text using tshark?

Answer 1

Please see my answer to a similar question:

https://ask.wireshark.org/questions/43023/want-to-use-tshark-to-decode-a-specific-packet-and-do-not-truncate-lines

I did not try, but maybe the 'follow' option might work as well in 2.1.0 incl. decompression (as I said, not tested, just speculation).

tshark -nr input.pcap ... -z follow,tcp,ascii,1

Please replace 1 with the correct TCP stream number.

Regards
Kurt