Get decompressed header from http2

Question

Anyone knows a way to get just the decompressed headers for http2 from a capture with tshark? So far I got this command:
tshark -r somefile.pcap -o "ssl.keylog_file:sslkeylog.log" -x -Y "http2" > output.txt
But this gives me the Hexdumb and Ascii of the frame, the decrypted ssl data and the decompressed header inside the ssl data. Now I would like to just get the decompressed headers, cause the rest is not readable anyways (for most of the part).

Thanks for any help in advance :)

Accepted Answer

1

The decompressed headers for HTTP/2 need to be interpreted in a special way. You can obtain the full, verbose HTTP/2 interpretation with:

tshark -r somefile.pcap -o ssl.keylog_file:sslkeylog.log -Y http2 -O http2

Alternatively, you can select the fields (and post-process them to pair header names and values):

tshark -r somefile.pcap -o ssl.keylog_file:sslkeylog.log -Y http2 -Tfields -e http2.header.name -e http2.header.value

permanent link

answered 08 Apr '16, 09:20

Lekensteyn
2.2k●3●7●24
accept rate: 30%

thank you very much! :)

(12 Apr '16, 04:14) monkey521

Get decompressed header from http2

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions