This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Get decompressed header from http2

0

Anyone knows a way to get just the decompressed headers for http2 from a capture with tshark? So far I got this command:
tshark -r somefile.pcap -o "ssl.keylog_file:sslkeylog.log" -x -Y "http2" > output.txt
But this gives me the Hexdumb and Ascii of the frame, the decrypted ssl data and the decompressed header inside the ssl data. Now I would like to just get the decompressed headers, cause the rest is not readable anyways (for most of the part).

Thanks for any help in advance :)

asked 08 Apr '16, 07:44

monkey521's gravatar image

monkey521
31337
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
1

The decompressed headers for HTTP/2 need to be interpreted in a special way. You can obtain the full, verbose HTTP/2 interpretation with:

tshark -r somefile.pcap -o ssl.keylog_file:sslkeylog.log -Y http2 -O http2

Alternatively, you can select the fields (and post-process them to pair header names and values):

tshark -r somefile.pcap -o ssl.keylog_file:sslkeylog.log -Y http2 -Tfields -e http2.header.name -e http2.header.value
permanent link

answered 08 Apr '16, 09:20

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

thank you very much! :)

(12 Apr '16, 04:14) monkey521
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×69
×56
×1

question asked: 08 Apr '16, 07:44

question was seen: 1,803 times

last updated: 12 Apr '16, 04:14

Related questions

How does Wireshark decrypt SSL/TLS with only ClientRandom

tshark is decrypting data but output pcap file still has encrypted data

TShark: Capture and Display Filters for HTTP/HTTPS

Capture time using capinfos

Running TShark in a batch file with -r attempts to capture traffic rather than reading the file

MAC address resolution in tshark

Extract files using tshark to save locally

What should I do to transform the captured pcap data into the CSV format including Timestamp, protocol and packet_length?

How to hide the count of captured packets with tshark

Capture on all interfaces in tshark

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A