This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to dump websockets live with tshark?

0

Websocket text is masked and isn't viewable with tcpdump. Trying to see it with this:

tshark -e websocket.payload.text_unmask -Tfields port 1234

There was a websocket.payload.text_unmask filter, but where it's gone in 2.0.2?

asked 11 Apr '17, 00:05

chip-devel's gravatar image

chip-devel
6113
accept rate: 0%

2 Answers:

1

The websocket.payload.text_unmask field was removed in Wireshark 2.0, this filter would not always exist (namely, when payloads were not masked). The websocket.payload field is supposed to be the replacement, but it appears that its field type unfortunately does not allow operators like websocket.payload contains "Rock" (it is a FT_NONE rather than a FT_BYTES field type).

Note that the websocket.payload field also contains the data for control frames so it is likely not what you want.

Depending on the Websocket preference "Dissect websocket text as", you can control that the data is displayed as Line-based text (the default), JSON or SIP. For your type of data (lines of text) it is unfortunately not possible to add a filter to extract this data.

If you would like to do so, you could write a subdissector for Websockets data. This will take precedence over the fallback to Line-based text. Example Lua dissector:

local myproto = Proto("myproto", "Websocket Text")
myproto.fields.text = ProtoField.string("myproto.text", "Websocket text")
function myproto.dissector(tvb, pinfo, tree)
    tree:add(myproto.fields.text, tvb())
end
local function myproto_heur(tvb, pinfo, tree)
    myproto.dissector(tvb, pinfo, tree)
    return true -- accept all Websockets data (do not call other dissectors)
end
myproto:register_heuristic("ws", myproto_heur)

Example usage:

tshark -r out.pcap -Xlua_script:ws.lua -Tfields -e myproto.text

answered 12 Apr '17, 14:44

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 12 Apr '17, 14:44

Doesn't read what iocat tool produces.

(09 May '17, 06:43) chip-devel

0

Try the field "websocket.payload".

answered 11 Apr '17, 02:09

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Unfortunately it prints mostly empty lines.

(11 Apr '17, 05:36) chip-devel

We'll need to see a capture to help any further.

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, Dropbox?

(11 Apr '17, 06:09) grahamb ♦

Rolled back to the 1.10.6 - 'websocket.payload.text_unmask' works. Testing now with http://www.websocket.org/echo.html - Wireshark shows the contents, but tshark doesn't, capture: https://drive.google.com/open?id=0B-8YrNWvmVCgX2hVbDBaWkgzZTQ

(11 Apr '17, 08:05) chip-devel

Try this:

tshark -r out.pcap -Y websocket.payload -E occurrence=l -T fields -e text

The unmasked text is handed off to the "Line-Based text data" dissector, so you need to use the field selector for that, and also set the occurrence to the last instance of that field in the packet to remove "noise". I've also added a filter to limit the output to packets that contain a websocket payload.

(11 Apr '17, 08:42) grahamb ♦