Menu
When I use tshark to decode capfile like this
tshark -V -r test.cap -Y 'http>0'
I got
...
JavaScript Object Notation: application/json
Object
Member Key: "ret"
Number value: 99
Member Key: "message"
String value:test
Question is how I can get json data like that use tshark
...
{"ret":99,"message":"test"}
951
Open WireShark and go to “File → Open”. Select the file “http-traffic. cap” and click “Open”. You can see all the packets captured.
Without any options set, TShark works much like tcpdump. It uses the pcap library to capture traffic from the first available network interface and displays a summary line on each received packet's standard output.
To use a display filter with tshark, use the -Y 'display filter' . Single quotes are recommended here for the display filter to avoid bash expansions and problems with spaces. If you create a filter and want to see how it is evaluated, dftest is bundled with Wireshark.
TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn't necessary or available.
tshark -r test.cap -Y 'http>0' -T json
tshark -r test.cap -Y 'http>0' -T json -x # to also include the raw packet data
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
