Ask Your Question
0

how to print tcp.reassembled.data value during live capture using tshark?

asked 2020-12-15 18:46:18 +0000

Yury gravatar image

I'm using tshark to read HTTP packets from .pcap file and print the reassembled TCP data to screen. The HTTP runs on port 1030 instead of the default 80. The command below decodes port 1030 as HTTP and applies some display filters for source ip, source port and HTTP method.

tshark -d tcp.port==1030,http -Y ip.src=='10.106.224.3' -Y tcp.srcport==1030 -Y http.request.method=='POST' -T fields -e tcp.reassembled.data -r 3_minute_20201028.pcapng.gz

This works fine for the .pcap file, sample output is bellow:

0a534f4150416374696f6e3a687474703a2f2f7777772e7665737461732e646b2f323030312f30342f617023537562736372697074696f6e43616c6c6261636b0d0a0d0a3c534f41502d454e563a456e76656c6f706520786d6c6e733a534f41502d454e563d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a534f41502d454e433d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e636f64696e672f2220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652f223e3c534f41502d454e563a426f64793e3c41502d4d53473a537562736372697074696f6e43616c6c6261636b20786d6c6e733a41502d4d53473d22687474703a2f2f7777772e7665737461732e646b2f323030312f30342f6170223e3c5265706c79426173652052637654696d653d22323032302d30392d31365431353a32313a33372e38313922205265706c7954696d653d22323032302d31302d32395430333a30313a31312e3138322220436c69656e745265717565737448616e646c653d2235222053657269616c4e756d6265723d22333637303431382220526566726573683d2230222f3e3c2f41502d4d53473a537562736372697074696f6e43616c6c6261636b3e3c2f534f41502d454e563a426f64793e3c2f534f41502d454e563a456e76656c6f70653e 504f5354202f415020485454502f312e310d0a486f73743a2031302e3130362e3232342e3232300d0a436f6e74656e742d547970653a20746578742f786d6c3b20636861727365743d49534f2d383835392d310d0a436f6e74656e742d4c656e6774683a203439300d0a534f4150416374696f6e3a687474703a2f2f7777772e7665737461732e646b2f323030312f30342f617023537562736372697074696f6e43616c6c6261636b0d0a0d0a3c534f41502d454e563a456e76656c6f706520786d6c6e733a534f41502d454e563d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a534f41502d454e433d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e636f64696e672f2220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652f223e3c534f41502d454e563a426f64793e3c41502d4d53473a537562736372697074696f6e43616c6c6261636b20786d6c6e733a41502d4d53473d22687474703a2f2f7777772e7665737461732e646b2f323030312f30342f6170223e3c5265706c79426173652052637654696d653d22323032302d30392d31365431353a32313a33382e38383022205265706c7954696d653d22323032302d31302d32395430333a30313a31312e3539352220436c69656e745265717565737448616e646c653d2239222053657269616c4e756d6265723d22333637303735362220526566726573683d2230222f3e3c2f41502d4d53473a537562736372697074696f6e43616c6c6261636b3e3c2f534f41502d454e563a426f64793e3c2f534f41502d454e563a456e76656c6f70653e

I'm trying to adopt the above command to run during live capture, I've switched -r ... to -i vestas_sim_br which is the name of the docker bridge interface. The full command is below:

tshark -d tcp.port==1030,http -Y ip.src=='192.168.20.11' -Y tcp.srcport==1030 -Y http.request.method=='POST' -T fields -e tcp.reassembled.data -i vestas_sim_br

The command run and seems to capture traffic, but all I see are blank lines and cursor moving down the screen. After I kill it with Ctrl+C it displays the number of packets captured.

Capturing on 'vestas_sim_br' ^C8 packets captured

The .pcap file had only 1 session that was kept open. The docker seems to create one session per full exchange. I'm not sure if this matters in this case.

Looking at live capture it Wireshark with the following display filters http and xml and ip.src==192.168.20.11 and tcp.srcport==1030, after applying Reassembled TCP Data as a column I can see it for each packet.

I'm sure what's going wrong. I appreciate the help.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-12-15 19:26:44 +0000

Chuckc gravatar image

Best I can tell from the code, tshark does not support multiple -Y options - last one in wins.

case 'Y':
  dfilter = optarg;
  break;

Combine the -Y filters into one and add tcp.reassembled.data to the end to exclude the blank lines.

tshark -d tcp.port==1030,http -Y "ip.src==192.168.20.11 and tcp.srcport==1030 and http.request.method=='POST' and tcp.reassembled.data" -T fields -e tcp.reassembled.data -i vestas_sim_br
edit flag offensive delete link more

Comments

Thanks, I was able to resolve the issue just earlier, it worked after I removed, the http.request.method=='POST' as my docker network was different from the .pcap file. Didn't know about lack of support for multiple -Y, worked for me. I'll still combine the filters into one as per your advice.

Yury gravatar imageYury ( 2020-12-15 19:43:47 +0000 )edit

The final command: tshark -d tcp.port==1030,http -Y "ip.src==192.168.20.11 and tcp.srcport==1030 and tcp.reassembled.data" -T fields -e tcp.reassembled.data -i vestas_sim_br

Yury gravatar imageYury ( 2020-12-15 19:48:37 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-12-15 18:46:18 +0000

Seen: 727 times

Last updated: Dec 15 '20

Related questions

http.time using tshark [closed]

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

http request and response clarification!

How to plot HTTP requests/sec graph?

why protocol is not showing as HTTP even though we sent http request ?

How can I get https to show in Wireshark?

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Cause Of Server Hello Delay

Using tshark filters to extract only interesting traffic from 12GB trace

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2