Capturing HTTP headers using tshark
How can I capture the HTTP traffic containing the header information using tshark in realtime?
(tshark man page)
The Windows machine I ran it on has many interfaces (-i 5). Pick an appropriate interface on your system.
C:\>tshark -i 5 -Y http -O http
Capturing on 'Ethernet'
Frame 12: 594 bytes on wire (4752 bits), 594 bytes captured (4752 bits) on interface \Device\NPF_{xxx}, id 0
Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: xx:xx:xx:xx:xx:xx
Internet Protocol Version 4, Src: 192.168.xxx.xxx, Dst: 192.168.xxx.xxx
Transmission Control Protocol, Src Port: 29526, Dst Port: 80, Seq: 1, Ack: 1, Len: 540
Hypertext Transfer Protocol
GET / HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
[GET / HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /
Request Version: HTTP/1.1
<snip>
Asked: 2021-01-09 01:06:33 +0000
Seen: 2,694 times
Last updated: Jan 09 '21
You mention "capture" and "realtime" in the same sentence.
Are you looking to capture HTTP and write them to a file for later analysis or
do you want to capture only HTTP packets and decode them to the screen or a pipe?
Hi Chuck,
My first option is showing the HTTP header while the client is accessing the web server. But if it is not possible to do that in realtime, I can capture the traffic to the file and apply some filter to get the HTTP headers.