Websocket text is masked and isn't viewable with tcpdump. Trying to see it with this:
There was a asked 11 Apr '17, 00:05 chip-devel |
2 Answers:
The Note that the Depending on the Websocket preference "Dissect websocket text as", you can control that the data is displayed as Line-based text (the default), JSON or SIP. For your type of data (lines of text) it is unfortunately not possible to add a filter to extract this data. If you would like to do so, you could write a subdissector for Websockets data. This will take precedence over the fallback to Line-based text. Example Lua dissector:
Example usage:
answered 12 Apr '17, 14:44 Lekensteyn edited 12 Apr '17, 14:44 |
Try the field "websocket.payload". answered 11 Apr '17, 02:09 grahamb ♦ Unfortunately it prints mostly empty lines. (11 Apr '17, 05:36) chip-devel We'll need to see a capture to help any further. Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, Dropbox? (11 Apr '17, 06:09) grahamb ♦ Rolled back to the 1.10.6 - 'websocket.payload.text_unmask' works. Testing now with http://www.websocket.org/echo.html - Wireshark shows the contents, but tshark doesn't, capture: https://drive.google.com/open?id=0B-8YrNWvmVCgX2hVbDBaWkgzZTQ (11 Apr '17, 08:05) chip-devel Try this:
The unmasked text is handed off to the "Line-Based text data" dissector, so you need to use the field selector for that, and also set the occurrence to the last instance of that field in the packet to remove "noise". I've also added a filter to limit the output to packets that contain a websocket payload. (11 Apr '17, 08:42) grahamb ♦ |
Doesn't read what iocat tool produces.