i want to get http.response_for.uri in tshark

tshark
retag add tags

Are tshark questions here?

If I'm wrong, please let me know the URL where I can ask questions.

I want to get http.response_for.uri using tshark with below command.

However, even if I access the HP, the value is not returned.

Wireshark can get the value.

is the command wrong

tshark -i 4 -E separator=, -T fields -e http.response_for.uri

[email protected]

asked 2022-10-21 06:52:26 +0000

23.8k

grahamb

updated 2022-10-24 07:50:32 +0000

edit flag offensive 0 remove flag close merge delete

Comments

There is no problem with this command...

7ACE (2022-10-24 02:34:36 +0000) edit

add a comment see more comments

2 Answers

Sort by

oldest

newest

most voted

When I try the command it does output http.response_for.uri during live capture. Are you capturing encrypted streams (https)?

Instead of using a field in the http response referring to the request, you can also use the field(s) from the actual http request:

tshark -i 4 -T fields -e http.request.full_uri -Y "http.request and http"

176

André

answered 2022-10-26 12:33:38 +0000, updated 2022-10-26 12:43:30 +0000

edit flag offensive 0 remove flag delete link

Comments

I tried the command you provided to access the yahoo article, but nothing is displayed.

By the way, URLs that are not accessed irregularly are displayed.

The URL is below.

192.168.0.30 is used as a file server and no web service has been started.

Not even a gateway.

http://192.168.0.30:8080/T/216/EwbIR8...

[email protected] (2022-10-28 06:54:49 +0000) edit

I tried the command you provided to access the yahoo article, but nothing is displayed.

What happens if you try the command

tshark -i 4 -w {capture file}

where {capture file} is the pathname for some file in a directory in which you can create a file, let it run for a while until you know that it would have captured the traffic containing the request and reply, stop the capture by typing control-C and then run the commands

tshark -r {capture file} -T fields -e http.request.full_uri -Y "http.request and http"

and

tshark -r {capture file}

Does the first command show the field?

Does the second command show any HTTP traffic?

Guy Harris (2022-10-28 07:31:58 +0000) edit

http://192.168.0.30:8080/T/...

Maybe the traffic over port 8080 is not recognized as http. You can force it be adding the 'decode as' option:

 -d tcp.port==8080,http

André (2022-10-28 08:09:34 +0000) edit

add a comment see more comments

You will probably need to enable 2-pass processing via the -2 flag.

23.8k

grahamb

answered 2022-10-21 09:10:27 +0000

edit flag offensive 0 remove flag delete link

Comments

What is 2-pass and -2 flag.

Please tell me specifically.

[email protected] (2022-10-23 23:06:00 +0000) edit

It's described in the tshark man page right at the start of the options list.

grahamb (2022-10-24 07:52:38 +0000) edit

I ran it with "-2", but the following message is displayed. .

tshark: Live captures do not support two-pass analysis.

tshark -2 -i 4 -E separator=, -T fields -e http.response_for.uri

[email protected] (2022-10-25 05:32:26 +0000) edit

Then you will have to capture the traffic and write it to a file, and then run tshark, reading the file, with -2.

Guy Harris (2022-10-25 06:13:33 +0000) edit

It is necessary to get the URL in real time as a requirement.

How can I get the URL accessed in real time?

[email protected] (2022-10-26 07:11:10 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

i want to get http.response_for.uri in tshark edit

Comments

2 Answers

Comments

Comments