i want to get http.response_for.uri in tshark

savecancel

I tried the command you provided to access the yahoo article, but nothing is displayed.

By the way, URLs that are not accessed irregularly are displayed.

The URL is below.

192.168.0.30 is used as a file server and no web service has been started.

Not even a gateway.

http://192.168.0.30:8080/T/216/EwbIR8...

I tried the command you provided to access the yahoo article, but nothing is displayed.

What happens if you try the command

tshark -i 4 -w {capture file}

where {capture file} is the pathname for some file in a directory in which you can create a file, let it run for a while until you know that it would have captured the traffic containing the request and reply, stop the capture by typing control-C and then run the commands

tshark -r {capture file} -T fields -e http.request.full_uri -Y "http.request and http"

and

tshark -r {capture file}

Does the first command show the field?

Does the second command show any HTTP traffic?

http://192.168.0.30:8080/T/...

Maybe the traffic over port 8080 is not recognized as http. You can force it be adding the 'decode as' option:

 -d tcp.port==8080,http

What is 2-pass and -2 flag.

Please tell me specifically.

It's described in the tshark man page right at the start of the options list.

I ran it with "-2", but the following message is displayed. .

tshark: Live captures do not support two-pass analysis.

tshark -2 -i 4 -E separator=, -T fields -e http.response_for.uri

Then you will have to capture the traffic and write it to a file, and then run tshark, reading the file, with -2.

It is necessary to get the URL in real time as a requirement.

How can I get the URL accessed in real time?