Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I use tshark to print request-response pairs from a pcap file?

Tags:

wireshark

packet-capture

pcap

tshark

Given a pcap file, I'm able to extract a lot of information from the reconstructed HTTP request and responses using the neat filters provided by Wireshark. I've also been able to split the pcap file into each TCP stream.

Trouble I'm running into now is that of all the cool filters I'm able to use with tshark, I can't find one that will let me print out full request/response bodies. I'm calling something like this:

 tshark -r dump.pcap -R "tcp.stream==123 and http.request" -T fields -e http.request.uri

Is there some filter name I can pass to -e to get the request/response body? The closest I've come is to use the -V flag, but it also prints out a bunch of information I don't necessary want and want to avoid having to kludge out with a "dumb" filter.

like image 658
Steven Avatar asked Jan 18 '12 00:01

Steven

People also ask

How do I read a pcap file with Tshark?

By using -w options, user can easily copy all output of tshark tool into single file of format pcap. By using option -r with tshark, user can read saved pcap file easily. If user wants to capture network traffic from the live network for a specific period of time, just use -a option.

How do you capture Tshark packets?

And at any point, you can press Ctrl+C to stop TShark from capturing packets. Like other popular data-network packet analyzer tools, such as tcpdump and Wireshark, Tshark uses the pcap library (libpcap) to capture packets. In this case, TShark uses the pcap library to capture packets from the eth0 interface.

Why would you use Tshark over Wireshark?

Even though both tools are almost equivalent in traffic capturing functionality, tshark is a lot more powerful. The best you can do is to use tshark to set up a port in your server that forwards information to your system, so you can capture traffic for analysis using a GUI.

How do you use a Tshark filter?

To specify a capture filter, use tshark -f "${filter}" . For example, to capture pings or tcp traffic on port 80, use icmp or tcp port 80 . To see how your capture filter is parsed, use dumpcap.

1 Answers

This probably wasn't an option when the question was asked but newer versions of tshark can "follow" conversations.

tshark -nr dump.pcap -qz follow,tcp,ascii,123

I know this is a super old question. I'm just adding this for anyone that ends up here looking for a current solution.

like image 70
accept_gzip Avatar answered Sep 28 '22 12:09

accept_gzip
Sign in to Comment

Related questions

how wireshark marks some packets as "tcp segment of a reassembled pdu" [closed]
How do I extract the pre-master secret using an OpenSSL-based client?
Wireshark doesnt' recognises RTMP streams
Use Tshark to view json data
IE is not sending Client certificate in TLS mutual authentication
Windows 8 Phone Client Certificate HTTPS authentication
pyshark - data from TCP packet
How do I format tshark time to ISO format (yyyy-dd-mm)?
tshark outputting all fields?
Sniff POST variables through HTTPS
Wireshark or one associated with it is already running [closed]
In tools like tcpdump, when exactly are the network packets captured?
How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys
Parsing pcap taken from wireshark file using - Java
Scapy: get/set frequency or channel of a packet
How to use wireshark to capture mysql query sql clearly
Is there a way to view wireshark .pcap files in Fiddler?
How to debug/trace System.Web.Services.Protocols.SoapHttpClientProtocol.invoke (from Windows mobile)?
What is the Difference between burp suite and wireshark? Pros and Cons

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!