This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Anyone knows a way to get just the decompressed headers for http2 from a capture with tshark? So far I got this command:
tshark -r somefile.pcap -o "ssl.keylog_file:sslkeylog.log" -x -Y "http2" > output.txt
But this gives me the Hexdumb and Ascii of the frame, the decrypted ssl data and the decompressed header inside the ssl data. Now I would like to just get the decompressed headers, cause the rest is not readable anyways (for most of the part).

Thanks for any help in advance :)

asked 08 Apr '16, 07:44

monkey521's gravatar image

monkey521
31337
accept rate: 0%


The decompressed headers for HTTP/2 need to be interpreted in a special way. You can obtain the full, verbose HTTP/2 interpretation with:

tshark -r somefile.pcap -o ssl.keylog_file:sslkeylog.log -Y http2 -O http2

Alternatively, you can select the fields (and post-process them to pair header names and values):

tshark -r somefile.pcap -o ssl.keylog_file:sslkeylog.log -Y http2 -Tfields -e http2.header.name -e http2.header.value
permanent link

answered 08 Apr '16, 09:20

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

thank you very much! :)

(12 Apr '16, 04:14) monkey521
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×69
×56
×1

question asked: 08 Apr '16, 07:44

question was seen: 1,923 times

last updated: 12 Apr '16, 04:14

p​o​w​e​r​e​d by O​S​Q​A