This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Websocket text is masked and isn't viewable with tcpdump. Trying to see it with this:

tshark -e websocket.payload.text_unmask -Tfields port 1234

There was a websocket.payload.text_unmask filter, but where it's gone in 2.0.2?

asked 11 Apr '17, 00:05

chip-devel's gravatar image

chip-devel
6113
accept rate: 0%


The websocket.payload.text_unmask field was removed in Wireshark 2.0, this filter would not always exist (namely, when payloads were not masked). The websocket.payload field is supposed to be the replacement, but it appears that its field type unfortunately does not allow operators like websocket.payload contains "Rock" (it is a FT_NONE rather than a FT_BYTES field type).

Note that the websocket.payload field also contains the data for control frames so it is likely not what you want.

Depending on the Websocket preference "Dissect websocket text as", you can control that the data is displayed as Line-based text (the default), JSON or SIP. For your type of data (lines of text) it is unfortunately not possible to add a filter to extract this data.

If you would like to do so, you could write a subdissector for Websockets data. This will take precedence over the fallback to Line-based text. Example Lua dissector:

local myproto = Proto("myproto", "Websocket Text")
myproto.fields.text = ProtoField.string("myproto.text", "Websocket text")
function myproto.dissector(tvb, pinfo, tree)
    tree:add(myproto.fields.text, tvb())
end
local function myproto_heur(tvb, pinfo, tree)
    myproto.dissector(tvb, pinfo, tree)
    return true -- accept all Websockets data (do not call other dissectors)
end
myproto:register_heuristic("ws", myproto_heur)

Example usage:

tshark -r out.pcap -Xlua_script:ws.lua -Tfields -e myproto.text
permanent link

answered 12 Apr '17, 14:44

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 12 Apr '17, 14:44

Doesn't read what iocat tool produces.

(09 May '17, 06:43) chip-devel

Try the field "websocket.payload".

permanent link

answered 11 Apr '17, 02:09

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Unfortunately it prints mostly empty lines.

(11 Apr '17, 05:36) chip-devel

We'll need to see a capture to help any further.

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, Dropbox?

(11 Apr '17, 06:09) grahamb ♦

Rolled back to the 1.10.6 - 'websocket.payload.text_unmask' works. Testing now with http://www.websocket.org/echo.html - Wireshark shows the contents, but tshark doesn't, capture: https://drive.google.com/open?id=0B-8YrNWvmVCgX2hVbDBaWkgzZTQ

(11 Apr '17, 08:05) chip-devel

Try this:

tshark -r out.pcap -Y websocket.payload -E occurrence=l -T fields -e text

The unmasked text is handed off to the "Line-Based text data" dissector, so you need to use the field selector for that, and also set the occurrence to the last instance of that field in the packet to remove "noise". I've also added a filter to limit the output to packets that contain a websocket payload.

(11 Apr '17, 08:42) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×9
×7

question asked: 11 Apr '17, 00:05

question was seen: 2,983 times

last updated: 09 May '17, 06:43

p​o​w​e​r​e​d by O​S​Q​A