Capturing HTTP headers using tshark
How can I capture the HTTP traffic containing the header information using tshark in realtime?
1 Answer
- Sort by
oldest newest most voted
0
(tshark man page)
The Windows machine I ran it on has many interfaces (-i 5). Pick an appropriate interface on your system.
C:\>tshark -i 5 -Y http -O http
Capturing on 'Ethernet'
Frame 12: 594 bytes on wire (4752 bits), 594 bytes captured (4752 bits) on interface \Device\NPF_{xxx}, id 0
Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: xx:xx:xx:xx:xx:xx
Internet Protocol Version 4, Src: 192.168.xxx.xxx, Dst: 192.168.xxx.xxx
Transmission Control Protocol, Src Port: 29526, Dst Port: 80, Seq: 1, Ack: 1, Len: 540
Hypertext Transfer Protocol
GET / HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
[GET / HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /
Request Version: HTTP/1.1
<snip>
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments
You mention "capture" and "realtime" in the same sentence.
Are you looking to capture HTTP and write them to a file for later analysis or
do you want to capture only HTTP packets and decode them to the screen or a pipe?
Hi Chuck,
My first option is showing the HTTP header while the client is accessing the web server. But if it is not possible to do that in realtime, I can capture the traffic to the file and apply some filter to get the HTTP headers.