This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract HTTP POST packets using tshark

1
1

Hello.

I have a capture file named original.pcap from a wifi capture I did. When I open it in Wireshark and properly configure decryption, I can see two HTTP POST packets. When I double-click any of those packets, I got a window that shows me the packet in three different view modes (Frame, Decrypted CCMP data and Reassembled TCP). So far, so good.

Now, I'm trying to create a new file named post.pcap using tshark with those HTTP POST packets only. I tried the following command (no copy/paste here, please ignore any typos):

tshark -r original.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\" MyPassword:MySSID\"" -Y "http.request.method == "POST" or eapol" -w post.pcap

I used UAT to config decryption in tshark. Also, I extracted eapol packets so tshark can do the decryption.

But when I open post.pcap in Wireshark, I can see the EAPOL packets and just two TCP packets, not the HTTP packets I was expecting. If I double-click one of those TCP packets, I can see it is related to the original HTTP POST, but it shows me only two view modes (Frame and Decrypted CCMP data). It seems that I need more packets in the original file in order to properly show the HTTP packets.

How can I make tshark extract the right combination of packets?

Thanks.

asked 25 Jul '16, 16:19

santonline's gravatar image

santonline
26125
accept rate: 0%

edited 25 Jul '16, 16:20

One Answer:

0

There may be a way to accomplish this in a single step (possibly using MATE or some other method?), but you should be able to at least use a 2-step approach to have tshark extract the packets you need.

First, find the relevant TCP stream(s) (options omitted for brevity and clarity):

tshark -r original.pcap -Y "http.request.method == "POST"" -T fields -e tcp.stream

(For illustrative purposes, let's suppose there are 2 matching streams, numbers 1 and 3.)

Second, modify the filter to include the entire stream and save those packets to your file:

tshark -r original.pcap -Y "tcp.stream eq 1 or tcp.stream eq 3 or eapol" -w post.pcap

answered 26 Jul '16, 10:41

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 26 Jul '16, 10:50

Thank you, but I forgot to mention that I want to make a script out of it. Is there a way pass the stream IDs to the filter in the second command automatically?

(27 Jul '16, 12:02) santonline

Below is my attempt at a script that should get you more or less what you want. It can produce either a single .pcapng file with all streams in one file, or it can produce a separate .pcapng file, one for each stream.

#!/bin/sh
# Usage: post.sh <infile> <outfileprefix> [unified]

if [ ${#} -lt 2 ] ; then
echo "Usage: $0 <infile> <outfileprefix> [unified]"
exit 0
fi


infile=${1}
outfile_pfx=${2}


unified=0
if [ ${#} -gt 2 ] ; then
if [ "${3}" == "unified" ] ; then
unified=1
fi
fi


if [ ${unified} -eq 0 ] ; then
for stream in $(tshark -r ${infile} -o wlan.enable_decryption:TRUE -Y "http.request.method==&quot;POST&quot;" -T fields -e tcp.stream | sort -u | tr -d '\r')
do
tshark -r ${infile} -o wlan.enable_decryption:TRUE -Y "tcp.stream eq ${stream} or eapol" -w ${outfile_pfx}-${stream}.pcapng
echo "Wrote ${outfile_pfx}-${stream}.pcapng"
done
else
filter=
for stream in $(tshark -r ${infile} -o wlan.enable_decryption:TRUE -Y "http.request.method == &quot;POST&quot;" -T fields -e tcp.stream | sort -u | tr -d '\r')
do
if [[ -z ${filter}  ]] ; then
filter="tcp.stream eq ${stream}"
else
filter+=" or tcp.stream eq ${stream}"
fi
done


    tshark -r ${infile} -o wlan.enable_decryption:TRUE -Y &quot;${filter} or eapol&quot; -w ${outfile_pfx}.pcapng
    echo &quot;Wrote ${outfile_pfx}.pcapng&quot;



fi
(27 Jul ‘16, 13:55) cmaynard ♦♦