This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark…can I do the following

0

I use tshark to capture a group of packets. I'd like to use tshark a second time to:

1) look at a specific packet number

2) return the bytes in the data field (the actual textual response to an http query) to a file as text.

Can I issue a single tshark command that does both things ??

thanks, wk

asked 26 Feb '12, 18:58

wakelt's gravatar image

wakelt
13101013
accept rate: 0%

edited 26 Feb '12, 20:32

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


2 Answers:

0

Hi wk,

To filter a specific packet number, you can use the -R option to set a display filter like the following where X is the packet you want.

tshark -r <infile> -R frame.number==X

Are you looking for the server response to an HTTP request? That is available with the following:

tshark -r <infile> -R frame.number==X -T fields -e http.response.code -e http.response.phrase

Getting back the full HTTP data response isn't as easy since the payload may be split over multiple packets. You can get back the TCP.data layer, but that will also contain any HTTP headers in the packet. Also the output seems to be only in Hex.

tshark -r <infile> -R frame.number==X -T fields -e tcp.data

Hope this helps somewhat, I'm not sure if the whole HTTP response can be pulled out of tshark easily.

answered 26 Feb '12, 20:00

zachad's gravatar image

zachad
331149
accept rate: 21%

thanks Zachad !

I am trying to get at some data that is included in the http response. For example, there may be some text wrapped inside the http response.

I can use:

-T fields -e data-text-lines

This gets to me to the top of the data in the reassembled payload. The data of interest lies immediately below. How do I extract (=save in file) the remainder of the reassembled payload ?

-wk

(27 Feb '12, 05:43) wakelt

(I converted your "answer" to a "comment", please see the FAQ for details)

(27 Feb '12, 06:51) SYN-bit ♦♦

0

You can also use the "-V" option of tshark like this:

tshark -r file.cap -R http -V

This will give you full dissection on all protocols. You can restrict full dissection to only HTTP by adding "-O http".

Hope this helps...

answered 27 Feb '12, 06:53

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks SYN-Bit....

I don't see an -O option available for tshark. Did you mean something different ?? I suppose I could pipe the tshark output into a script that will strip out the data I'm looking for.

(27 Feb '12, 11:58) wakelt

(please use "add new comment" instead of "answer", see the FAQ for details)

The -O option was added recently, so I think you will need version 1.7.x for it

(27 Feb '12, 12:15) SYN-bit ♦♦