Capturing HTTP headers using tshark

2021-01-09

moraist gravatar image

How can I capture the HTTP traffic containing the header information using tshark in realtime?

You mention "capture" and "realtime" in the same sentence.

Are you looking to capture HTTP and write them to a file for later analysis or
do you want to capture only HTTP packets and decode them to the screen or a pipe?

Chuckc ( 2021-01-09 )

Hi Chuck,

My first option is showing the HTTP header while the client is accessing the web server. But if it is not possible to do that in realtime, I can capture the traffic to the file and apply some filter to get the HTTP headers.

moraist ( 2021-01-09 )

1 Answer

Sort by ยป oldest newest most voted

2021-01-09

Chuckc gravatar image

updated 2021-01-09

(tshark man page)
The Windows machine I ran it on has many interfaces (-i 5). Pick an appropriate interface on your system.

C:\>tshark -i 5 -Y http -O http
Capturing on 'Ethernet'
Frame 12: 594 bytes on wire (4752 bits), 594 bytes captured (4752 bits) on interface \Device\NPF_{xxx}, id 0
Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: xx:xx:xx:xx:xx:xx
Internet Protocol Version 4, Src:, Dst:
Transmission Control Protocol, Src Port: 29526, Dst Port: 80, Seq: 1, Ack: 1, Len: 540
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
Thanks, Chuckc

moraist ( 2021-01-09 )

Asked: 2021-01-09

Seen: 2,547 times

Last updated: Jan 09 '21