This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Get decompressed header from http2

0

Anyone knows a way to get just the decompressed headers for http2 from a capture with tshark? So far I got this command:
tshark -r somefile.pcap -o "ssl.keylog_file:sslkeylog.log" -x -Y "http2" > output.txt
But this gives me the Hexdumb and Ascii of the frame, the decrypted ssl data and the decompressed header inside the ssl data. Now I would like to just get the decompressed headers, cause the rest is not readable anyways (for most of the part).

Thanks for any help in advance :)

asked 08 Apr '16, 07:44

monkey521's gravatar image

monkey521
31337
accept rate: 0%

One Answer:

1

The decompressed headers for HTTP/2 need to be interpreted in a special way. You can obtain the full, verbose HTTP/2 interpretation with:

tshark -r somefile.pcap -o ssl.keylog_file:sslkeylog.log -Y http2 -O http2

Alternatively, you can select the fields (and post-process them to pair header names and values):

tshark -r somefile.pcap -o ssl.keylog_file:sslkeylog.log -Y http2 -Tfields -e http2.header.name -e http2.header.value

answered 08 Apr '16, 09:20

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

thank you very much! :)

(12 Apr '16, 04:14) monkey521